missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5101 | Custom field finder | 75 | 9 | 3 | 2k+ | Output is not escaped | ||
| #5102 | Custom Adobe Fonts (Typekit) | 75 | 11 | 33 | 60k+ | Non-prefixed global variable | ||
| #5103 | Customize Twenty Seventeen | 75 | 33 | 19 | 2k+ | Text Domain Mismatch | ||
| #5104 | Customize Twenty Sixteen | 75 | 32 | 11 | 500 | Text Domain Mismatch | ||
| #5105 | En Spam | 75 | 21 | 6 | 500 | wp function not compatible with requires wp | ||
| #5106 | Eventin Addons for Divi Builder | 75 | 6 | 17 | 800 | Nonce verification recommended | ||
| #5107 | Force First and Last Name as Display Name | 75 | 5 | 12 | 2k+ | Missing nonce verification | ||
| #5108 | Gradient Button for Elementor | 75 | 16 | 4 | 2k+ | Output is not escaped | ||
| #5109 | Hide Categories and Products for Woocommerce | 75 | 1 | 20 | 10k+ | Input is not sanitized | ||
| #5110 | Hum | 75 | 8 | 2 | 600 | wp function not compatible with requires wp | ||
| #5111 | Intuitive Custom Post Order | 75 | 19 | 96 | 400k+ | Direct Query | ||
| #5112 | Open Graph Protocol Framework | 75 | 17 | 12 | 3k+ | Missing direct file access protection | ||
| #5113 | WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation | 75 | 2 | 60 | 1k+ | Database parameter is not escaped | ||
| #5114 | Options Framework | 75 | 8 | 56 | 10k+ | Non-prefixed function | ||
| #5115 | PJ News Ticker | 75 | 13 | 14 | 3k+ | Output is not escaped | ||
| #5116 | PopupAlly | 75 | 40 | 10 | 2k+ | Missing direct file access protection | ||
| #5117 | Rapyd Payment Extension for WooCommerce | 75 | 50 | 33 | 400 | Text Domain Mismatch | ||
| #5118 | reCAPTCHA for bbPress | 75 | 14 | 19 | 700 | Non-prefixed function | ||
| #5119 | Logos Reftagger | 75 | 12 | 15 | 10k+ | Deprecated parameter: add_option parameter 3 | ||
| #5120 | Registration Form for WooCommerce | 75 | 5 | 42 | 1k+ | Non-prefixed global variable | ||
| #5121 | Services Section Block – Showcase Service Details in Grid or Columns | 75 | 9 | 19 | 2k+ | Non-prefixed namespace | ||
| #5122 | Matterport Shortcode | 75 | 21 | 30 | 3k+ | Text Domain Mismatch | ||
| #5123 | Simple Taxonomy Ordering | 75 | 7 | 10 | 10k+ | Direct Query | ||
| #5124 | Styleguide – Custom Fonts and Colors | 75 | 59 | 25 | 2k+ | Missing direct file access protection | ||
| #5125 | Testimonial – Testimonial Slider and Showcase Plugin | 75 | 563 | 231 | 30k+ | Text Domain Mismatch | ||
| #5126 | True Lazy Analytics | 75 | 11 | 13 | 6k+ | Nonce verification recommended | ||
| #5127 | UK Address Postcode Validation | 75 | 72 | 33 | 700 | Non Singular String Literal Domain | ||
| #5128 | Ultimate Under Construction | 75 | 22 | 2 | 1k+ | Non Enqueued Script | ||
| #5129 | Video Background Block – Use video as background in section. | 75 | 35 | 90 | 2k+ | Non-prefixed global variable | ||
| #5130 | Wonder PDF Embed | 75 | 53 | 1 | 8k+ | badly named files | ||
| #5131 | Ukrposhta | 75 | 24 | 226 | 500 | Non-prefixed global variable | ||
| #5132 | WP Change Custom Posts Slugs | 75 | 17 | 4 | 700 | Text Domain Mismatch | ||
| #5133 | WP Disables Updates | 75 | 19 | 7 | 700 | Text Domain Mismatch | ||
| #5134 | wp-forecast | 75 | 263 | 117 | 4k+ | Missing Arg Domain | ||
| #5135 | WP Hide Dashboard | 75 | 6 | 10 | 2k+ | trademarked term | ||
| #5136 | WP-HTML-Compression | 75 | 7 | 22 | 1k+ | Input is not sanitized | ||
| #5137 | WPC Variation Bulk Editor for WooCommerce | 75 | 7 | 22 | 1k+ | Output is not escaped | ||
| #5138 | WPSSO WP Sitemaps XML with News, Image, and Video Sitemap | 75 | 60 | 24 | 400 | Missing Translators Comment | ||
| #5139 | YITH Slider for page builders | 75 | 13 | 22 | 1k+ | Nonce verification recommended | ||
| #5140 | 404 Simple Redirect | 76 | 19 | 4 | 900 | Text Domain Mismatch | ||
| #5141 | Addonify – WooCommerce Wishlist | 76 | 30 | 43 | 1k+ | Non-prefixed global variable | ||
| #5142 | Advanced CSS Editor | 76 | 25 | 6 | 5k+ | Output is not escaped | ||
| #5143 | AI Provider for OpenAI | 76 | 15 | 1 | 30k+ | Exception output is not escaped | ||
| #5144 | Ajax Search Lite – Live Search & Filter | 76 | 126 | 264 | 80k+ | Non-prefixed hook name | ||
| #5145 | AMS Google Webmaster Tools | 76 | 10 | 3 | 400 | Output is not escaped | ||
| #5146 | Auction Nudge – Your eBay Listings | 76 | 18 | 6 | 1k+ | Missing direct file access protection | ||
| #5147 | Autocomplete WooCommerce Orders | 76 | 70 | 55 | 30k+ | Text Domain Mismatch | ||
| #5148 | Cache External Scripts | 76 | 21 | 4 | 900 | Output is not escaped | ||
| #5149 | Change Mail Sender | 76 | 97 | 19 | 20k+ | Text Domain Mismatch | ||
| #5150 | Certificate customizer for Tutor LMS | 76 | 16 | 3 | 1k+ | Output is not escaped |