防止直接访问Wordpress插件中的php文件

Question

I am building a Wordpress plugin that should be used on my site only. I have placed it at the regular place under wp-content/plugins/myPlugin. In that directory I have placed an index.php to prevent directory listing and also hide the fact that there is a directory with the name myPlugin by sending the request to 404-page of wordpress. The code:

include ('../../../wp-load.php');
header("HTTP/1.0 404 Not Found - Archive Empty");
$wp_query->set_404();
require TEMPLATEPATH . '/404.php';
exit;

This though do not hinder anyone from accessing my php file on myurl.com/wp-content/plugins/myPlugin/myPlugin.php. How can I achieve the same 404 for this and other php files in my plugin? It is important to note that these files should be accessible via Wordpress admin though. Maybe wordpress admin sets some global variable when I am accessing a php file via myurl.com/wp-admin/admin.php?page=myPlugin/myPlugin.php ?

Answer 1

Adding to Sammitch's answer, that's what you can use for WordPress:

defined('ABSPATH') or die("Your message here");

ABSPATH is defined in wp-load.php :

/** Define ABSPATH as this file's directory */
define( 'ABSPATH', dirname(__FILE__) . '/' );

Answer 2

Many applications do something like the following in their global header files:

define('_JEXEC', TRUE); // Joomla, btw

So that you can do something like this in files that you don't want executed outside of the application's context:

if( !defined('_JEXEC') ) { die('unatuhorized'); }

But, unfortunately, Wordpress does not seem to do something exactly like this, but it does define a metric butt-ton of other constants like WP_USE_THEMES that you can side-jack for your purposes.

You can also use get_defined_constants() for a listing of what is defined when your plugin runs.