missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4951 | Nginx Helper | 71 | 47 | 60 | 200k+ | Non-prefixed global variable | ||
| #4952 | Print Bangla News | 71 | 29 | 17 | 2k+ | Output is not escaped | ||
| #4953 | Privyr CRM – Instant Lead Alerts for Contact Forms | 71 | 2 | 25 | 4k+ | Non-prefixed function | ||
| #4954 | Quick and Easy FAQs | 71 | 92 | 9 | 10k+ | Non Singular String Literal Domain | ||
| #4955 | Really Simple Click To Call Bar | 71 | 23 | 3 | 8k+ | Output is not escaped | ||
| #4956 | Social Fabric Analytics From Collective Bias | 71 | 17 | 0 | 1k+ | Output is not escaped | ||
| #4957 | Visual Bible Verse of the Day Widget | 71 | 27 | 1 | 900 | Output is not escaped | ||
| #4958 | WindPress – Tailwind CSS integration for WordPress | 71 | 16 | 106 | 3k+ | Non-prefixed hook name | ||
| #4959 | Discount Rules for WooCommerce | 71 | 10 | 454 | 100k+ | Non-prefixed global variable | ||
| #4960 | WP 4 Me Title Remover | 71 | 17 | 13 | 1k+ | Missing direct file access protection | ||
| #4961 | WP No Base Permalink | 71 | 8 | 10 | 10k+ | Unsafe printing function | ||
| #4962 | WP Widget in Navigation | 71 | 37 | 15 | 3k+ | Non Singular String Literal Domain | ||
| #4963 | WPS Notice Center | 71 | 12 | 7 | 3k+ | Unsafe printing function | ||
| #4964 | Zapier for WordPress | 71 | 11 | 21 | 50k+ | Input is not sanitized | ||
| #4965 | Archiiv | 72 | 6 | 30 | 400 | Non-prefixed global variable | ||
| #4966 | Auto Featured Image from Title | 72 | 24 | 4 | 1k+ | Setting is missing a sanitization callback | ||
| #4967 | BB Delete cache | 72 | 3 | 15 | 1k+ | Input is not sanitized | ||
| #4968 | Block Archive.org via WordPress robots.txt | 72 | 9 | 8 | 400 | Output is not escaped | ||
| #4969 | Bulk Term Editor | 72 | 19 | 9 | 400 | Output is not escaped | ||
| #4970 | Click to top | 72 | 22 | 8 | 2k+ | Output is not escaped | ||
| #4971 | Cloudinary – Deliver Images and Videos at Scale | 72 | 691 | 134 | 5k+ | Text Domain Mismatch | ||
| #4972 | Contact Form 7 Leads Tracking | 72 | 3 | 23 | 600 | Input is not sanitized | ||
| #4973 | Dashboard Wordcount | 72 | 30 | 7 | 500 | Output is not escaped | ||
| #4974 | Disable Title | 72 | 20 | 15 | 2k+ | Text Domain Mismatch | ||
| #4975 | Disclaimify – Affiliate Disclosure / Disclaimer for WordPress | 72 | 2 | 19 | 1k+ | Missing nonce verification | ||
| #4976 | Display your Checkatrade | 72 | 19 | 3 | 400 | Output is not escaped | ||
| #4977 | Getsitecontrol — Email Marketing Plugin | Popup Maker, Automations & Newsletters | 72 | 17 | 11 | 1k+ | wp function not compatible with requires wp | ||
| #4978 | Gravity Forms CSS Ready Class Selector | 72 | 18 | 4 | 4k+ | Non Singular String Literal Domain | ||
| #4979 | Calendar.online / Kalender.digital – Plugin | 72 | 33 | 7 | 2k+ | Output is not escaped | ||
| #4980 | Login Logout Menu | 72 | 7 | 20 | 20k+ | Input is not sanitized | ||
| #4981 | Media File Sizes | 72 | 14 | 5 | 1k+ | Output is not escaped | ||
| #4982 | Media Library Organizer – Folders, File Manager & Media Categories | 72 | 20 | 130 | 20k+ | Non-prefixed global variable | ||
| #4983 | Meks Smart Author Widget | 72 | 24 | 0 | 10k+ | Output is not escaped | ||
| #4984 | MemcacheD Is Your Friend | 72 | 23 | 33 | 1k+ | Non-prefixed function | ||
| #4985 | Minimal Maintenance Mode | 72 | 1 | 20 | 600 | Missing nonce verification | ||
| #4986 | My-Plugins | 72 | 24 | 6 | 30k+ | Missing Arg Domain | ||
| #4987 | Non-Purchasable WooCommerce Products | 72 | 14 | 13 | 1k+ | Input is not validated | ||
| #4988 | Property Hive Stamp Duty Calculator | 72 | 39 | 2 | 800 | Text Domain Mismatch | ||
| #4989 | Responsive Blocks – Page Builder for Blocks & Patterns | 72 | 43 | 43 | 3k+ | badly named files | ||
| #4990 | Responsive Owl Carousel for Elementor | 72 | 40 | 89 | 7k+ | Non-prefixed global variable | ||
| #4991 | Root Relative URLs | 72 | 9 | 10 | 6k+ | Input is not sanitized | ||
| #4992 | Simple Local Avatars | 72 | 14 | 16 | 100k+ | Non-prefixed constant | ||
| #4993 | Smartwaiver Waiver Widget | 72 | 17 | 8 | 400 | Output is not escaped | ||
| #4994 | Social Media Icons Widget | 72 | 181 | 10 | 1k+ | badly named files | ||
| #4995 | Tabs Widget for Page Builder | 72 | 22 | 7 | 3k+ | Text Domain Mismatch | ||
| #4996 | Starter Templates & Sites Pack by ThemeGrill | 72 | 28 | 51 | 70k+ | Non-prefixed hook name | ||
| #4997 | TinyPNG – JPEG, PNG & WebP image compression | 72 | 40 | 73 | 100k+ | Non-prefixed global variable | ||
| #4998 | Tiny Yardage Calculator | 72 | 23 | 1 | 300 | Output is not escaped | ||
| #4999 | Ultimate Member Custom Tab Builder Lite | 72 | 12 | 15 | 500 | Output is not escaped | ||
| #5000 | Waymark | 72 | 16 | 32 | 900 | Missing direct file access protection |