missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5051BP xProfile Location74724500Missing nonce verification
#5052Calculation For Contact Form 7742151k+Text Domain Mismatch
#5053Cálculo do frete somente com o CEP – WC Brasil7413241k+Non-prefixed function
#5054Signature Field For Contact Form 7 – CF7Sign74912700Missing Translators Comment
#5055Clean WP Admin Menu741913600Non Singular String Literal Domain
#5056Code Snippet DM74212500Output is not escaped
#5057Custom Icons for Elementor and WPBakery74353810k+Non-prefixed global variable
#5058Datareporter Webcare741221700Non-prefixed global variable
#5059Duplicate Widget741701k+Output is not escaped
#5060ELEX WooCommerce USPS Shipping Method7413945900Text Domain Mismatch
#5061EmailKit – Email Customizer for WooCommerce & WP74178270k+slow db query meta query
#5062Fast Speed Index74912500Direct Query
#5063Formidable Honeypot74106400Text Domain Mismatch
#5064Google Web Fonts Customizer (GWFC)74484900Text Domain Mismatch
#5065Gravity Forms Multi Currency74612400Output is not escaped
#5066Highlight and Share – Unobtrusive and Lightweight Content Sharing7412115800Non-prefixed hook name
#5067Live Custom CSS JS Code Editor74184400Output is not escaped
#5068Multiple Admin Email Addresses74741k+Missing nonce verification
#5069Multiple Roles748185k+Non-prefixed global variable
#5070Elements For Elementor74393710k+Non-prefixed global variable
#5071Outfunnel: Web Visitor Tracking & CRM Integration74349600Short PHP open tag found
#5072Plugin Notes Plus742429k+Non-prefixed hook name
#5073Post Carousel for DV Builder7415292k+Text Domain Mismatch
#5074Post Grid Addon for Elementor74161310k+Missing direct file access protection
#5075Post My CF7 Form74211682k+Non-prefixed global variable
#5076Product Layouts for WooCommerce745751k+Direct Query
#5077WP All Import – Property Import for RealHomes741712700Output is not escaped
#5078Resume Builder7420591k+Non-prefixed global variable
#5079Security Headers7431113k+Deprecated parameter: unregister_setting parameter 3
#5080Simple Scroll To Top WP742451k+Output is not escaped
#5081Simple Slug Translate743231k+Non Singular String Literal Domain
#5082Sticky Custom Post Types74150500Missing Arg Domain
#5083Change Storefront Footer Copyright Text7471214k+Text Domain Mismatch
#5084Sublium Subscriptions – Subscriptions for WooCommerce – Recurring Payments, Subscription Plans & Installments743522500wp function not compatible with requires wp
#5085Vello Booking Calendar74102500Unsafe printing function
#5086WhatConverts7410107k+Non-prefixed function
#5087WP API SwaggerUI7414202k+Missing direct file access protection
#5088Force Login745830k+Output is not escaped
#5089WP Revisions Limit741614800Missing Arg Domain
#5090WP-Sweep741201100k+Direct Query
#5091Accordion Shortcode75170400Output is not escaped
#5092Acumbamail757361k+Non-prefixed global variable
#5093Admin Locale7512106k+Missing Arg Domain
#5094Anchor Episodes Index (Spotify for Podcasters)753231k+Text Domain Mismatch
#5095Beacon Lead Magnets and Lead Capture75825500Nonce verification recommended
#5096blueimp lightbox751921k+Output is not escaped
#5097Bulk Comments Management75625700Direct Query
#5098Canvas Image Resize751911k+Output is not escaped
#5099Cognito Forms751342k+wp function not compatible with requires wp
#5100Colored Admin Post List7580500Heredoc Output Not Escaped