missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5151Custom Template for LearnDash76791k+Non-prefixed hook name
#5152Dicode Icons Pack761013600Nonce verification recommended
#5153Disable Lazy Load7686400Non-prefixed constant
#5154Drip for WordPress761172k+Missing direct file access protection
#5155Like Thumbnail761381k+Output is not escaped
#5156Headers Security Advanced & HSTS WP76191090k+Missing Translators Comment
#5157Leo Product Recommendations for WooCommerce76379400Short URL found
#5158Lucky Orange765602k+wp function not compatible with requires wp
#5159Admin Bookmarks76304500Text Domain Mismatch
#5160Ocean Posts Slider76131410k+Output is not escaped
#5161ABC Crypto Checkout7642141k+Text Domain Mismatch
#5162Post Updated Date76171500Output is not escaped
#5163Post UI Tabs76554400Non Singular String Literal Domain
#5164Search Regex76625100k+Direct Query
#5165Simple Floating Menu7613310k+Missing direct file access protection
#5166Siteready Coming Soon Under Construction766303k+Non-prefixed global variable
#5167Smartideo76831k+Output is not escaped
#5168Store file uploads for Contact Form 776561k+Output is not escaped
#5169Super RSS Reader – Add attractive RSS Feed Widget7624510k+Output is not escaped
#5170TagPages761341k+Missing Arg Domain
#5171Category Order and Taxonomy Terms Order763510500k+wp function not compatible with requires wp
#5172Telephone Input For Contact Form 7761810600Text Domain Mismatch
#5173Contact Form 7 Text CAPTCHA7614341k+Non-prefixed global variable
#5174Breadcrumbs for WooCommerce761426k+Output is not escaped
#5175Action Network761917400error log error log
#5176Hide Dashboard Notifications76101020k+Output is not escaped
#5177WP SAML Auth767257k+Nonce verification recommended
#5178Social Share For WooCommerce768523500Text Domain Mismatch
#5179WP AdCenter – Ad Manager & Adsense Ads765711k+Direct Query
#5180WPC Free Gift Coupons for WooCommerce76419400Non-prefixed class
#5181AffiliateWP – External Referral Links773011800Text Domain Mismatch
#5182Always Edit In HTML77751k+Output is not escaped
#5183Backup/Restore Divi Theme Options7788700Input is not validated
#5184Before After Image Comparison – Visual Comparison for Two Images7718163k+Text Domain Mismatch
#5185Better Search – Relevant search results for WordPress77181175k+Dynamic hook name
#5186Custom Profile Menu for BuddyPress7784400Output is not escaped
#5187Canonical SEO Content Syndication WordPress Plugin7748400Missing nonce verification
#5188Čeština pro WordPress77164400Output is not escaped
#5189Honeypot Plus for Contact Form 777317700Missing nonce verification
#5190Contact Form 7 Translate Messages Extension771051k+Output is not escaped
#5191Color Your Bar77510400Input is not sanitized
#5192Custom Cursor For WP771071k+Setting is missing a sanitization callback
#5193Custom Fonts – Host Your Fonts Locally771420400k+Request data is not unslashed
#5194Custom HTML Block Extension778137k+Missing direct file access protection
#5195Custom User Profile Photo771635k+Unsafe printing function
#5196Disable Toolbar77631k+Output is not escaped
#5197Variation Price Display For WooCommerce778716900Text Domain Mismatch
#5198Disable WP Registration Page Spam775121k+Nonce verification recommended
#5199Easy Featured Images771441k+Output is not escaped
#5200Ecomail777131k+Non-prefixed global variable