missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5051 | BP xProfile Location | 74 | 7 | 24 | 500 | Missing nonce verification | ||
| #5052 | Calculation For Contact Form 7 | 74 | 21 | 5 | 1k+ | Text Domain Mismatch | ||
| #5053 | Cálculo do frete somente com o CEP – WC Brasil | 74 | 13 | 24 | 1k+ | Non-prefixed function | ||
| #5054 | Signature Field For Contact Form 7 – CF7Sign | 74 | 9 | 12 | 700 | Missing Translators Comment | ||
| #5055 | Clean WP Admin Menu | 74 | 19 | 13 | 600 | Non Singular String Literal Domain | ||
| #5056 | Code Snippet DM | 74 | 21 | 2 | 500 | Output is not escaped | ||
| #5057 | Custom Icons for Elementor and WPBakery | 74 | 35 | 38 | 10k+ | Non-prefixed global variable | ||
| #5058 | Datareporter Webcare | 74 | 12 | 21 | 700 | Non-prefixed global variable | ||
| #5059 | Duplicate Widget | 74 | 17 | 0 | 1k+ | Output is not escaped | ||
| #5060 | ELEX WooCommerce USPS Shipping Method | 74 | 139 | 45 | 900 | Text Domain Mismatch | ||
| #5061 | EmailKit – Email Customizer for WooCommerce & WP | 74 | 17 | 82 | 70k+ | slow db query meta query | ||
| #5062 | Fast Speed Index | 74 | 9 | 12 | 500 | Direct Query | ||
| #5063 | Formidable Honeypot | 74 | 10 | 6 | 400 | Text Domain Mismatch | ||
| #5064 | Google Web Fonts Customizer (GWFC) | 74 | 48 | 4 | 900 | Text Domain Mismatch | ||
| #5065 | Gravity Forms Multi Currency | 74 | 6 | 12 | 400 | Output is not escaped | ||
| #5066 | Highlight and Share – Unobtrusive and Lightweight Content Sharing | 74 | 12 | 115 | 800 | Non-prefixed hook name | ||
| #5067 | Live Custom CSS JS Code Editor | 74 | 18 | 4 | 400 | Output is not escaped | ||
| #5068 | Multiple Admin Email Addresses | 74 | 7 | 4 | 1k+ | Missing nonce verification | ||
| #5069 | Multiple Roles | 74 | 8 | 18 | 5k+ | Non-prefixed global variable | ||
| #5070 | Elements For Elementor | 74 | 39 | 37 | 10k+ | Non-prefixed global variable | ||
| #5071 | Outfunnel: Web Visitor Tracking & CRM Integration | 74 | 34 | 9 | 600 | Short PHP open tag found | ||
| #5072 | Plugin Notes Plus | 74 | 2 | 42 | 9k+ | Non-prefixed hook name | ||
| #5073 | Post Carousel for DV Builder | 74 | 152 | 9 | 2k+ | Text Domain Mismatch | ||
| #5074 | Post Grid Addon for Elementor | 74 | 16 | 13 | 10k+ | Missing direct file access protection | ||
| #5075 | Post My CF7 Form | 74 | 21 | 168 | 2k+ | Non-prefixed global variable | ||
| #5076 | Product Layouts for WooCommerce | 74 | 5 | 75 | 1k+ | Direct Query | ||
| #5077 | WP All Import – Property Import for RealHomes | 74 | 17 | 12 | 700 | Output is not escaped | ||
| #5078 | Resume Builder | 74 | 20 | 59 | 1k+ | Non-prefixed global variable | ||
| #5079 | Security Headers | 74 | 31 | 11 | 3k+ | Deprecated parameter: unregister_setting parameter 3 | ||
| #5080 | Simple Scroll To Top WP | 74 | 24 | 5 | 1k+ | Output is not escaped | ||
| #5081 | Simple Slug Translate | 74 | 32 | 3 | 1k+ | Non Singular String Literal Domain | ||
| #5082 | Sticky Custom Post Types | 74 | 15 | 0 | 500 | Missing Arg Domain | ||
| #5083 | Change Storefront Footer Copyright Text | 74 | 71 | 21 | 4k+ | Text Domain Mismatch | ||
| #5084 | Sublium Subscriptions – Subscriptions for WooCommerce – Recurring Payments, Subscription Plans & Installments | 74 | 35 | 22 | 500 | wp function not compatible with requires wp | ||
| #5085 | Vello Booking Calendar | 74 | 10 | 2 | 500 | Unsafe printing function | ||
| #5086 | WhatConverts | 74 | 10 | 10 | 7k+ | Non-prefixed function | ||
| #5087 | WP API SwaggerUI | 74 | 14 | 20 | 2k+ | Missing direct file access protection | ||
| #5088 | Force Login | 74 | 5 | 8 | 30k+ | Output is not escaped | ||
| #5089 | WP Revisions Limit | 74 | 16 | 14 | 800 | Missing Arg Domain | ||
| #5090 | WP-Sweep | 74 | 1 | 201 | 100k+ | Direct Query | ||
| #5091 | Accordion Shortcode | 75 | 17 | 0 | 400 | Output is not escaped | ||
| #5092 | Acumbamail | 75 | 7 | 36 | 1k+ | Non-prefixed global variable | ||
| #5093 | Admin Locale | 75 | 12 | 10 | 6k+ | Missing Arg Domain | ||
| #5094 | Anchor Episodes Index (Spotify for Podcasters) | 75 | 32 | 3 | 1k+ | Text Domain Mismatch | ||
| #5095 | Beacon Lead Magnets and Lead Capture | 75 | 8 | 25 | 500 | Nonce verification recommended | ||
| #5096 | blueimp lightbox | 75 | 19 | 2 | 1k+ | Output is not escaped | ||
| #5097 | Bulk Comments Management | 75 | 6 | 25 | 700 | Direct Query | ||
| #5098 | Canvas Image Resize | 75 | 19 | 1 | 1k+ | Output is not escaped | ||
| #5099 | Cognito Forms | 75 | 13 | 4 | 2k+ | wp function not compatible with requires wp | ||
| #5100 | Colored Admin Post List | 75 | 8 | 0 | 500 | Heredoc Output Not Escaped |