Try adding this code to the first line:
Following Michael Berkowskiโs suggestion, an improved version of the answer would be:
/***************DO NOT ALLOW DIRECT ACCESS************************************/ if ( (strpos( strtolower( $_SERVER[ 'SCRIPT_NAME' ] ), strtolower( basename( __FILE__ ) ) ) ) !== FALSE ) { // NOT FALSE if the script file name is found in the URL header( 'HTTP/1.0 403 Forbidden' ); die( '<h2>Direct access to this page is not allowed.</h2>' ); } /*****************************************************************************/
UPDATE:
/***************DO NOT ALLOW DIRECT ACCESS************************************/ if ( stripos( $_SERVER[ 'REQUEST_URI' ], basename( __FILE__ ) ) !== FALSE ) { // TRUE if the script file name is found in the URL header( 'HTTP/1.0 403 Forbidden' ); die( "<h2>Forbidden! You don't have permission to access this page.</h2>" ); } /*****************************************************************************/
This code can be used to protect files with functions, classes, etc. that are used by other code that do not need to be accessed through the browser. Such as most plugins WP, admin and include files, wp-config.php, functions.php; files for extracting data transmitted by the POST method (not GET), etc.