Home/ Questions/Q 8477619
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T18:31:04+00:00

I want to prevent access to the functions file in my WordPress theme. I

  • 0

I want to prevent access to the functions file in my WordPress theme. I thought to hide functions.php by putting it on my server and calling it from the client’s server. Is that a workable solution? Is there a better approach?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is technically possible if your client’s server has allow_url_include set. However, it’s still a bad idea for four reasons:

    • Speed: opening another HTTP request and waiting for it to complete every time anyone views your client’s site will get slow very fast. It’ll also hammer your site.
    • Security: The PHP file on the remote server (your server, in this case) will need to be printed in plaintext. This could be a bad thing, particularly if you’ve written customized, potentially-insecure code in it. Coincidentally, this also means that your approach won’t actually stop your client from finding out what the script does. There’s also nothing stopping the client from loading the URL of your unprotected script, pasting it into his WordPress directory, and altering the include. Additionally, if your server is ever compromised or someone snatches your domain, they can then inject code onto your client’s server with impunity.
    • Ethics: Unless your client is explicitly made aware of this arrangement, it is unethical because if your business relationship terminates he or she will still be vulnerable to code injection, even after terminating your FTP/SSH/WordPress dashboard access.
    • Reliability: If you do this, any time your site is offline your client’s site will die with a messy error message.

    Re-homing executable code on your server is probably a really bad idea, and while it is absolutely technically possible, there are many compelling reasons why doing things this way are a bad idea.

    If you are trying to protect proprietary code from the client, your only good options are to:

    1. Host his site yourself. This could be profitable down the line if your technology is something that a specialized hosting company could be built around.
    2. Build an API that can grant metered access to your proprietary data or processing, and write a WordPress plugin to talk to the API. This could be profitable down the line both by encouraging developers to write software for your system, and the WordPress plugin would lower the barrier for entry to doing business with you.
    • 0