missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5151 | Custom Template for LearnDash | 76 | 7 | 9 | 1k+ | Non-prefixed hook name | ||
| #5152 | Dicode Icons Pack | 76 | 10 | 13 | 600 | Nonce verification recommended | ||
| #5153 | Disable Lazy Load | 76 | 8 | 6 | 400 | Non-prefixed constant | ||
| #5154 | Drip for WordPress | 76 | 11 | 7 | 2k+ | Missing direct file access protection | ||
| #5155 | Like Thumbnail | 76 | 13 | 8 | 1k+ | Output is not escaped | ||
| #5156 | Headers Security Advanced & HSTS WP | 76 | 19 | 10 | 90k+ | Missing Translators Comment | ||
| #5157 | Leo Product Recommendations for WooCommerce | 76 | 3 | 79 | 400 | Short URL found | ||
| #5158 | Lucky Orange | 76 | 56 | 0 | 2k+ | wp function not compatible with requires wp | ||
| #5159 | Admin Bookmarks | 76 | 30 | 4 | 500 | Text Domain Mismatch | ||
| #5160 | Ocean Posts Slider | 76 | 13 | 14 | 10k+ | Output is not escaped | ||
| #5161 | ABC Crypto Checkout | 76 | 42 | 14 | 1k+ | Text Domain Mismatch | ||
| #5162 | Post Updated Date | 76 | 17 | 1 | 500 | Output is not escaped | ||
| #5163 | Post UI Tabs | 76 | 55 | 4 | 400 | Non Singular String Literal Domain | ||
| #5164 | Search Regex | 76 | 6 | 25 | 100k+ | Direct Query | ||
| #5165 | Simple Floating Menu | 76 | 13 | 3 | 10k+ | Missing direct file access protection | ||
| #5166 | Siteready Coming Soon Under Construction | 76 | 6 | 30 | 3k+ | Non-prefixed global variable | ||
| #5167 | Smartideo | 76 | 8 | 3 | 1k+ | Output is not escaped | ||
| #5168 | Store file uploads for Contact Form 7 | 76 | 5 | 6 | 1k+ | Output is not escaped | ||
| #5169 | Super RSS Reader – Add attractive RSS Feed Widget | 76 | 24 | 5 | 10k+ | Output is not escaped | ||
| #5170 | TagPages | 76 | 13 | 4 | 1k+ | Missing Arg Domain | ||
| #5171 | Category Order and Taxonomy Terms Order | 76 | 35 | 10 | 500k+ | wp function not compatible with requires wp | ||
| #5172 | Telephone Input For Contact Form 7 | 76 | 18 | 10 | 600 | Text Domain Mismatch | ||
| #5173 | Contact Form 7 Text CAPTCHA | 76 | 14 | 34 | 1k+ | Non-prefixed global variable | ||
| #5174 | Breadcrumbs for WooCommerce | 76 | 14 | 2 | 6k+ | Output is not escaped | ||
| #5175 | Action Network | 76 | 19 | 17 | 400 | error log error log | ||
| #5176 | Hide Dashboard Notifications | 76 | 10 | 10 | 20k+ | Output is not escaped | ||
| #5177 | WP SAML Auth | 76 | 7 | 25 | 7k+ | Nonce verification recommended | ||
| #5178 | Social Share For WooCommerce | 76 | 85 | 23 | 500 | Text Domain Mismatch | ||
| #5179 | WP AdCenter – Ad Manager & Adsense Ads | 76 | 5 | 71 | 1k+ | Direct Query | ||
| #5180 | WPC Free Gift Coupons for WooCommerce | 76 | 4 | 19 | 400 | Non-prefixed class | ||
| #5181 | AffiliateWP – External Referral Links | 77 | 30 | 11 | 800 | Text Domain Mismatch | ||
| #5182 | Always Edit In HTML | 77 | 7 | 5 | 1k+ | Output is not escaped | ||
| #5183 | Backup/Restore Divi Theme Options | 77 | 8 | 8 | 700 | Input is not validated | ||
| #5184 | Before After Image Comparison – Visual Comparison for Two Images | 77 | 18 | 16 | 3k+ | Text Domain Mismatch | ||
| #5185 | Better Search – Relevant search results for WordPress | 77 | 18 | 117 | 5k+ | Dynamic hook name | ||
| #5186 | Custom Profile Menu for BuddyPress | 77 | 8 | 4 | 400 | Output is not escaped | ||
| #5187 | Canonical SEO Content Syndication WordPress Plugin | 77 | 4 | 8 | 400 | Missing nonce verification | ||
| #5188 | Čeština pro WordPress | 77 | 16 | 4 | 400 | Output is not escaped | ||
| #5189 | Honeypot Plus for Contact Form 7 | 77 | 3 | 17 | 700 | Missing nonce verification | ||
| #5190 | Contact Form 7 Translate Messages Extension | 77 | 10 | 5 | 1k+ | Output is not escaped | ||
| #5191 | Color Your Bar | 77 | 5 | 10 | 400 | Input is not sanitized | ||
| #5192 | Custom Cursor For WP | 77 | 10 | 7 | 1k+ | Setting is missing a sanitization callback | ||
| #5193 | Custom Fonts – Host Your Fonts Locally | 77 | 14 | 20 | 400k+ | Request data is not unslashed | ||
| #5194 | Custom HTML Block Extension | 77 | 8 | 13 | 7k+ | Missing direct file access protection | ||
| #5195 | Custom User Profile Photo | 77 | 16 | 3 | 5k+ | Unsafe printing function | ||
| #5196 | Disable Toolbar | 77 | 6 | 3 | 1k+ | Output is not escaped | ||
| #5197 | Variation Price Display For WooCommerce | 77 | 87 | 16 | 900 | Text Domain Mismatch | ||
| #5198 | Disable WP Registration Page Spam | 77 | 5 | 12 | 1k+ | Nonce verification recommended | ||
| #5199 | Easy Featured Images | 77 | 14 | 4 | 1k+ | Output is not escaped | ||
| #5200 | Ecomail | 77 | 7 | 13 | 1k+ | Non-prefixed global variable |