missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5001Place Order Without Payment for WooCommerce72244623k+Text Domain Mismatch
#5002Customizer for WooCommerce721013800Nonce verification recommended
#5003Direct Checkout for WooCommerce72773580k+Text Domain Mismatch
#5004ShinyStat Widget72142800Output is not escaped
#5005Advanced Custom Fields – Widget Relationship Field add-on73187500Output is not escaped
#5006AffiliateWP – Allowed Products7347191k+Text Domain Mismatch
#5007Albacross for WordPress731851k+Text Domain Mismatch
#5008AADMY – Add Auto Date Month Year Into Posts733032400Non-prefixed function
#5009Block Plugin Update739106k+Missing direct file access protection
#5010Clone Woo Orders – Free by WP Masters73138900Output is not escaped
#5011Conditionally display featured image on singular posts and pages7317630k+Output is not escaped
#5012Contact Form to Brevo7367111k+Text Domain Mismatch
#5013Contact Form7: Autocomplete73278500Text Domain Mismatch
#5014Continue Shopping for WooCommerce739205k+Input is not sanitized
#5015Custom Datepicker NMR734121k+Missing Version
#5016OpenID Connect Generic Client7395910k+Non-prefixed hook name
#5017Emergency password reset735614800wp function not compatible with requires wp
#5018Export Media Library735530k+Output is not escaped
#5019Export Plugin Details731362k+Output is not escaped
#5020Force Password Change73410400Missing nonce verification
#5021Gravity Fieldset for Gravity Forms73141900Output is not escaped
#5022Hide WP Toolbar734131k+trademarked term
#5023Infinite Notification – Sales Notification Plugin73135500Setting is missing a sanitization callback
#5024jQuery Lightbox For Native Galleries732674k+Text Domain Mismatch
#5025Meks Easy Ads Widget7321910k+Output is not escaped
#5026Meta Description7359400Input is not validated
#5027Mortgage Calculators WP73181233k+Non-prefixed global variable
#5028Multifile Upload Field for Contact Form 7734175k+Text Domain Mismatch
#5029My Simple Space732138k+Output is not escaped
#5030Weight zone shipping for WooCommerce7325131k+Missing Translators Comment
#5031PDF viewer for Elementor & Gutenberg73141210k+Nonce verification recommended
#5032Permalinks Moved Permanently7377700Database parameter is not escaped
#5033Website Optimization – Plerdy734811k+wp function not compatible with requires wp
#5034Plugin Groups7316121k+Non Singular String Literal Domain
#5035RPS Include Content73132700Output is not escaped
#5036Comment Edit Core – Simple Comment Editing7327852k+Non-prefixed hook name
#5037Simple Image Popup732151k+Output is not escaped
#5038Sweet Custom Dashboard73272400Missing Arg Domain
#5039Theme Inspector73237400Output is not escaped
#5040Timeline Express – No Icons Add-On73109700Output is not escaped
#5041Under Construction Light731381k+Text Domain Mismatch
#5042Pedido Mínimo para WooCommerce738141k+Nonce verification recommended
#5043Zoho SalesIQ – Live chat, chatbots, and visitor tracking7311920k+Input is not validated
#5044Advanced Custom Fields: Accordion Tab Field741411800Missing Version
#5045ACF Columns744744k+Text Domain Mismatch
#5046Admin Columns for ACF Fields74789k+Output is not escaped
#5047AffiliateWP – Sign Up Bonus744613400Text Domain Mismatch
#5048Append Link on Copy74235800Output is not escaped
#5049Bing URL Submissions Plugin74103840k+error log error log
#5050Boxy WooCommerce Custom Redirect After Checkout74278600badly named files