missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5101Custom field finder75932k+Output is not escaped
#5102Custom Adobe Fonts (Typekit)75113360k+Non-prefixed global variable
#5103Customize Twenty Seventeen7533192k+Text Domain Mismatch
#5104Customize Twenty Sixteen753211500Text Domain Mismatch
#5105En Spam75216500wp function not compatible with requires wp
#5106Eventin Addons for Divi Builder75617800Nonce verification recommended
#5107Force First and Last Name as Display Name755122k+Missing nonce verification
#5108Gradient Button for Elementor751642k+Output is not escaped
#5109Hide Categories and Products for Woocommerce7512010k+Input is not sanitized
#5110Hum7582600wp function not compatible with requires wp
#5111Intuitive Custom Post Order751996400k+Direct Query
#5112Open Graph Protocol Framework7517123k+Missing direct file access protection
#5113WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation752601k+Database parameter is not escaped
#5114Options Framework7585610k+Non-prefixed function
#5115PJ News Ticker7513143k+Output is not escaped
#5116PopupAlly7540102k+Missing direct file access protection
#5117Rapyd Payment Extension for WooCommerce755033400Text Domain Mismatch
#5118reCAPTCHA for bbPress751419700Non-prefixed function
#5119Logos Reftagger75121510k+Deprecated parameter: add_option parameter 3
#5120Registration Form for WooCommerce755421k+Non-prefixed global variable
#5121Services Section Block – Showcase Service Details in Grid or Columns759192k+Non-prefixed namespace
#5122Matterport Shortcode7521303k+Text Domain Mismatch
#5123Simple Taxonomy Ordering7571010k+Direct Query
#5124Styleguide – Custom Fonts and Colors7559252k+Missing direct file access protection
#5125Testimonial – Testimonial Slider and Showcase Plugin7556323130k+Text Domain Mismatch
#5126True Lazy Analytics7511136k+Nonce verification recommended
#5127UK Address Postcode Validation757233700Non Singular String Literal Domain
#5128Ultimate Under Construction752221k+Non Enqueued Script
#5129Video Background Block – Use video as background in section.7535902k+Non-prefixed global variable
#5130Wonder PDF Embed755318k+badly named files
#5131Ukrposhta7524226500Non-prefixed global variable
#5132WP Change Custom Posts Slugs75174700Text Domain Mismatch
#5133WP Disables Updates75197700Text Domain Mismatch
#5134wp-forecast752631174k+Missing Arg Domain
#5135WP Hide Dashboard756102k+trademarked term
#5136WP-HTML-Compression757221k+Input is not sanitized
#5137WPC Variation Bulk Editor for WooCommerce757221k+Output is not escaped
#5138WPSSO WP Sitemaps XML with News, Image, and Video Sitemap756024400Missing Translators Comment
#5139YITH Slider for page builders7513221k+Nonce verification recommended
#5140404 Simple Redirect76194900Text Domain Mismatch
#5141Addonify – WooCommerce Wishlist7630431k+Non-prefixed global variable
#5142Advanced CSS Editor762565k+Output is not escaped
#5143AI Provider for OpenAI7615130k+Exception output is not escaped
#5144Ajax Search Lite – Live Search & Filter7612626480k+Non-prefixed hook name
#5145AMS Google Webmaster Tools76103400Output is not escaped
#5146Auction Nudge – Your eBay Listings761861k+Missing direct file access protection
#5147Autocomplete WooCommerce Orders76705530k+Text Domain Mismatch
#5148Cache External Scripts76214900Output is not escaped
#5149Change Mail Sender76971920k+Text Domain Mismatch
#5150Certificate customizer for Tutor LMS761631k+Output is not escaped