missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5001 | Place Order Without Payment for WooCommerce | 72 | 244 | 62 | 3k+ | Text Domain Mismatch | ||
| #5002 | Customizer for WooCommerce | 72 | 10 | 13 | 800 | Nonce verification recommended | ||
| #5003 | Direct Checkout for WooCommerce | 72 | 77 | 35 | 80k+ | Text Domain Mismatch | ||
| #5004 | ShinyStat Widget | 72 | 14 | 2 | 800 | Output is not escaped | ||
| #5005 | Advanced Custom Fields – Widget Relationship Field add-on | 73 | 18 | 7 | 500 | Output is not escaped | ||
| #5006 | AffiliateWP – Allowed Products | 73 | 47 | 19 | 1k+ | Text Domain Mismatch | ||
| #5007 | Albacross for WordPress | 73 | 18 | 5 | 1k+ | Text Domain Mismatch | ||
| #5008 | AADMY – Add Auto Date Month Year Into Posts | 73 | 30 | 32 | 400 | Non-prefixed function | ||
| #5009 | Block Plugin Update | 73 | 9 | 10 | 6k+ | Missing direct file access protection | ||
| #5010 | Clone Woo Orders – Free by WP Masters | 73 | 13 | 8 | 900 | Output is not escaped | ||
| #5011 | Conditionally display featured image on singular posts and pages | 73 | 17 | 6 | 30k+ | Output is not escaped | ||
| #5012 | Contact Form to Brevo | 73 | 67 | 11 | 1k+ | Text Domain Mismatch | ||
| #5013 | Contact Form7: Autocomplete | 73 | 27 | 8 | 500 | Text Domain Mismatch | ||
| #5014 | Continue Shopping for WooCommerce | 73 | 9 | 20 | 5k+ | Input is not sanitized | ||
| #5015 | Custom Datepicker NMR | 73 | 4 | 12 | 1k+ | Missing Version | ||
| #5016 | OpenID Connect Generic Client | 73 | 9 | 59 | 10k+ | Non-prefixed hook name | ||
| #5017 | Emergency password reset | 73 | 56 | 14 | 800 | wp function not compatible with requires wp | ||
| #5018 | Export Media Library | 73 | 5 | 5 | 30k+ | Output is not escaped | ||
| #5019 | Export Plugin Details | 73 | 13 | 6 | 2k+ | Output is not escaped | ||
| #5020 | Force Password Change | 73 | 4 | 10 | 400 | Missing nonce verification | ||
| #5021 | Gravity Fieldset for Gravity Forms | 73 | 14 | 1 | 900 | Output is not escaped | ||
| #5022 | Hide WP Toolbar | 73 | 4 | 13 | 1k+ | trademarked term | ||
| #5023 | Infinite Notification – Sales Notification Plugin | 73 | 13 | 5 | 500 | Setting is missing a sanitization callback | ||
| #5024 | jQuery Lightbox For Native Galleries | 73 | 26 | 7 | 4k+ | Text Domain Mismatch | ||
| #5025 | Meks Easy Ads Widget | 73 | 21 | 9 | 10k+ | Output is not escaped | ||
| #5026 | Meta Description | 73 | 5 | 9 | 400 | Input is not validated | ||
| #5027 | Mortgage Calculators WP | 73 | 18 | 123 | 3k+ | Non-prefixed global variable | ||
| #5028 | Multifile Upload Field for Contact Form 7 | 73 | 41 | 7 | 5k+ | Text Domain Mismatch | ||
| #5029 | My Simple Space | 73 | 21 | 3 | 8k+ | Output is not escaped | ||
| #5030 | Weight zone shipping for WooCommerce | 73 | 25 | 13 | 1k+ | Missing Translators Comment | ||
| #5031 | PDF viewer for Elementor & Gutenberg | 73 | 14 | 12 | 10k+ | Nonce verification recommended | ||
| #5032 | Permalinks Moved Permanently | 73 | 7 | 7 | 700 | Database parameter is not escaped | ||
| #5033 | Website Optimization – Plerdy | 73 | 48 | 1 | 1k+ | wp function not compatible with requires wp | ||
| #5034 | Plugin Groups | 73 | 16 | 12 | 1k+ | Non Singular String Literal Domain | ||
| #5035 | RPS Include Content | 73 | 13 | 2 | 700 | Output is not escaped | ||
| #5036 | Comment Edit Core – Simple Comment Editing | 73 | 27 | 85 | 2k+ | Non-prefixed hook name | ||
| #5037 | Simple Image Popup | 73 | 21 | 5 | 1k+ | Output is not escaped | ||
| #5038 | Sweet Custom Dashboard | 73 | 27 | 2 | 400 | Missing Arg Domain | ||
| #5039 | Theme Inspector | 73 | 23 | 7 | 400 | Output is not escaped | ||
| #5040 | Timeline Express – No Icons Add-On | 73 | 10 | 9 | 700 | Output is not escaped | ||
| #5041 | Under Construction Light | 73 | 13 | 8 | 1k+ | Text Domain Mismatch | ||
| #5042 | Pedido Mínimo para WooCommerce | 73 | 8 | 14 | 1k+ | Nonce verification recommended | ||
| #5043 | Zoho SalesIQ – Live chat, chatbots, and visitor tracking | 73 | 11 | 9 | 20k+ | Input is not validated | ||
| #5044 | Advanced Custom Fields: Accordion Tab Field | 74 | 14 | 11 | 800 | Missing Version | ||
| #5045 | ACF Columns | 74 | 47 | 4 | 4k+ | Text Domain Mismatch | ||
| #5046 | Admin Columns for ACF Fields | 74 | 7 | 8 | 9k+ | Output is not escaped | ||
| #5047 | AffiliateWP – Sign Up Bonus | 74 | 46 | 13 | 400 | Text Domain Mismatch | ||
| #5048 | Append Link on Copy | 74 | 23 | 5 | 800 | Output is not escaped | ||
| #5049 | Bing URL Submissions Plugin | 74 | 10 | 38 | 40k+ | error log error log | ||
| #5050 | Boxy WooCommerce Custom Redirect After Checkout | 74 | 27 | 8 | 600 | badly named files |