While developing a WordPress plugin, it is really crucial to prevent direct access to its files. As you may never know, what might happen if someone has direct access to your plugin’s PHP files. Considering a Worst Case Scenario, they can have remote code execution (RCE)
Remote Code Execution (RCE): As the name suggests, is a security vulnerability that allows an attacker to execute codes from a remote server. Which can result in taking complete control of your system.
Well direct access to your WordPress file can be prevented by adding the following lines of code above the main code:
if (!defined('ABSPATH')) exit;
if ( ! defined( 'WPINC' ) ) die;
You can use either of the code, both will do the same thing. “WPINC” and “ABSPATH” are constants that are defined when WordPress is loading. Normally, when requesting a front-end page “ABSPATH” will be defined by the file /wp-load.php and “WPINC” will defined later when the file /wp-settings.php is loaded. Since neither one of those files will have been loaded when first accessing a plugin’s file directly, it doesn’t matter which one you check for, so you just need to add one of those line before the rest of the code in the file to prevent direct access.