I have an external PHP placed in a plugin which must work in all Wordpress configurations. Including those where the plugin folder has been moved outside Wordpress root.
The external PHP needs to bootstrap wp-load.php and thus need to know the location of that file. The location of the file is passed through the querystring (relative location from plugin folder to Wordpress root), which is obviously unsafe. If a hacker somehow has gained access to upload php files (wp-load.php) to for example wp-content, she will be able to run a malicious wp-load.php through the external script.
The external PHP is "called" by way of a RewriteRule in an .htaccess (which I have control of). On Apache I can block direct access, but not on Nginx.
As the purpose is to load Wordpress, note that using Wordpress functions is out of the question.
I am thinking that perhaps some secret or hash can be passed to the script from the .htaccess.
To validate that the root looks real, the .htaccess in the root could be examined.
With control over the .htaccess, you could put any comment into the .htaccess. To decide whether to accept a proposed root folder, the script can look for a .htaccess in that folder, read it, and see if it contains the magic comment.
To exploit this, the hacker would need to be able to store a file named ".htaccess" as well as "wp-load.php".
The solution could be improved by inserting a hash of something in the magic comment (but hash of what?)
To avoid running a php located in ie "/var/www/example.com/wp-content/uploads/wp-load.php", you could check if any of the parent folders contains "wp-load.php" and exit if they do.
This protection can unfortunately not stand by itself as it will not protect installations where the wp-content folder has been moved out of the root. But it will shield typical installations against running a malicious "wp-load" which has been uploaded in a subfolder.
The plugin could try to create a symlinked folder in the plugins folder, linking to root. Or it could create a php file there, which defines the path to root. It will only be necessary when system is detected as Nginx.
The uploads folder will be write protected on many systems. Instruction needs to be provided for creating such file manually. In this case, this is not a deal breaker as users on Nginx already need to insert the rewrite rules manually.