missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5251 | Interact: Embed A Quiz On Your Site | 78 | 6 | 13 | 3k+ | Request data is not unslashed | ||
| #5252 | Login Widget for Ultimate Member | 78 | 10 | 10 | 600 | Input is not sanitized | ||
| #5253 | Maintenance Notice | 78 | 26 | 71 | 800 | Non-prefixed global variable | ||
| #5254 | More Mails for CF7 | 78 | 13 | 6 | 500 | Text Domain Mismatch | ||
| #5255 | Coming Soon & Maintenance Mode Page & Under Construction | 78 | 35 | 67 | 10k+ | Non-prefixed global variable | ||
| #5256 | One Time Login | 78 | 7 | 8 | 40k+ | Nonce verification recommended | ||
| #5257 | PushCrew | 78 | 10 | 0 | 400 | Missing Arg Domain | ||
| #5258 | Recent Posts | 78 | 7 | 2 | 400 | Database parameter is not escaped | ||
| #5259 | Rename XMLRPC | 78 | 7 | 3 | 1k+ | Output is not escaped | ||
| #5260 | Run SQL Query | 78 | 13 | 8 | 600 | Non-prefixed global variable | ||
| #5261 | Animator – Scroll Triggered Animations | 78 | 16 | 24 | 1k+ | Missing direct file access protection | ||
| #5262 | SearchWP Live Ajax Search | 78 | 8 | 23 | 50k+ | Non-prefixed global variable | ||
| #5263 | Sendy | 78 | 11 | 2 | 500 | Output is not escaped | ||
| #5264 | Sheet2Site | 78 | 21 | 3 | 400 | Output is not escaped | ||
| #5265 | Simple Maintenance | 78 | 11 | 5 | 1k+ | Non-prefixed global variable | ||
| #5266 | Yandex Mail SMTP Server for WordPress | 78 | 16 | 5 | 2k+ | Text Domain Mismatch | ||
| #5267 | Spider Blocker | 78 | 19 | 9 | 20k+ | Missing Translators Comment | ||
| #5268 | History Timeline for Biography, Company History & Event Timeline | 78 | 29 | 37 | 1k+ | Non-prefixed global variable | ||
| #5269 | Tock Widget | 78 | 6 | 9 | 400 | Missing direct file access protection | ||
| #5270 | Tuxedo Responsive Widget Columns | 78 | 19 | 3 | 400 | Output is not escaped | ||
| #5271 | Twenty20 Image Before-After | 78 | 104 | 14 | 20k+ | Text Domain Mismatch | ||
| #5272 | WEN Responsive Columns | 78 | 13 | 6 | 800 | Unsafe printing function | ||
| #5273 | Exclude Category from Blog | 78 | 10 | 2 | 1k+ | Output is not escaped | ||
| #5274 | WooCommerce Square | 78 | 6 | 266 | 80k+ | Non-prefixed hook name | ||
| #5275 | Feed Post Thumbnail | 78 | 9 | 3 | 2k+ | Unsafe printing function | ||
| #5276 | WP Simple Mail Sender | 78 | 21 | 6 | 3k+ | Non Singular String Literal Domain | ||
| #5277 | WPC Smart Messages for WooCommerce | 78 | 1 | 58 | 1k+ | Non-prefixed global variable | ||
| #5278 | AffiliateWP – Affiliate Info | 79 | 27 | 7 | 1k+ | Text Domain Mismatch | ||
| #5279 | AffiliateWP – Force Pending Referrals | 79 | 35 | 12 | 500 | Text Domain Mismatch | ||
| #5280 | AffiliateWP – WooCommerce Redirect Affiliates | 79 | 27 | 7 | 1k+ | Text Domain Mismatch | ||
| #5281 | Alx Extensions | 79 | 113 | 4 | 8k+ | Text Domain Mismatch | ||
| #5282 | Import / Export Customizer Settings | 79 | 5 | 13 | 50k+ | Input is not sanitized | ||
| #5283 | Better Font Awesome | 79 | 6 | 9 | 70k+ | Input is not sanitized | ||
| #5284 | Blocks for Products | 79 | 18 | 13 | 400 | Non Singular String Literal Domain | ||
| #5285 | Bitly URL Shortener | 79 | 65 | 22 | 600 | Text Domain Mismatch | ||
| #5286 | Contact Form 7 Get and Show Parameter from URL | 79 | 3 | 10 | 800 | Input is not sanitized | ||
| #5287 | CoolClock – a Javascript Analog Clock | 79 | 21 | 9 | 2k+ | Output is not escaped | ||
| #5288 | Disable Theme and Plugin Auto-Update Emails | 79 | 21 | 5 | 10k+ | Text Domain Mismatch | ||
| #5289 | Display Post Metadata | 79 | 12 | 4 | 500 | Output is not escaped | ||
| #5290 | Grabber for QQWorld Auto Save Images | 79 | 17 | 3 | 600 | Non Singular String Literal Domain | ||
| #5291 | JSON API Auth | 79 | 5 | 11 | 700 | Non-prefixed function | ||
| #5292 | Klaviyo | 79 | 26 | 86 | 100k+ | Non-prefixed function | ||
| #5293 | Last Name First Name | 79 | 9 | 5 | 500 | Non-prefixed function | ||
| #5294 | Manage Privacy Options Page | 79 | 3 | 11 | 1k+ | Input is not validated | ||
| #5295 | Meks ThemeForest Smart Widget | 79 | 12 | 4 | 10k+ | Output is not escaped | ||
| #5296 | Weight/Country Shipping for WooCommerce | 79 | 10 | 2 | 900 | Unsafe printing function | ||
| #5297 | Popupsmart | 79 | 28 | 2 | 600 | Output is not escaped | ||
| #5298 | Qi Addons For Elementor | 79 | 33 | 339 | 200k+ | Non-prefixed global variable | ||
| #5299 | Flutterwave Payments | 79 | 8 | 39 | 600 | Non-prefixed global variable | ||
| #5300 | Real Category Management: Content Management in Category Folders | 79 | 4 | 73 | 2k+ | Non-prefixed constant |