missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5301Related Products Manager for WooCommerce799431k+Non-prefixed global variable
#5302Remove Category URL – Remove 'category' base from category permalinks795850k+Missing direct file access protection
#5303Remove noreferrer7917145k+Missing Arg Domain
#5304Responsive Mobile-Friendly Tooltip792514600Missing Arg Domain
#5305Retainful – WooCommerce Abandoned Cart, Newsletters, Email Marketing, Signup Forms and Automation7915261k+Non-prefixed hook name
#5306Search engines blocked warning79203500Output is not escaped
#5307Sellbrite79184500Short PHP open tag found
#5308SSH SFTP Updater Support7963110k+Non-prefixed global variable
#5309SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers794566200k+Non-prefixed hook name
#5310Visual Editor Biography79113900Missing Arg Domain
#5311WooCommerce Grid / List toggle79101210k+Output is not escaped
#5312Notifima – WooCommerce Stock Manager, Inventory Management, Waitlist79121423k+Text Domain Mismatch
#5313WP Last Modified Info79453240k+Short PHP open tag found
#5314New Relic Reporting for WordPress79416600Nonce verification recommended
#5315WP Permastructure79146400Missing Arg Domain
#5316WP Referral Code791819600Missing direct file access protection
#5317WPMagPlus Companion7910416700Text Domain Mismatch
#5318Яндекс Метрика7910410k+Unsafe printing function
#5319YITH Maintenance Mode7919635k+Non-prefixed global variable
#5320Elementor Blocks for Gutenberg807610k+Output is not escaped
#5321Button8065282k+Text Domain Mismatch
#5322Buttons to Edit Next/Previous Post801211k+Output is not escaped
#5323Interlinks Manager – Internal Links Optimizer8017137k+Database parameter is not escaped
#5324Docxpresso809142k+Input is not sanitized
#5325Easy Charts8013281k+Non-prefixed global variable
#5326Extended Title Remover801441k+wp function not compatible with requires wp
#5327Falang for Elementor Lite8081400Exception output is not escaped
#5328Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later802125800Non-prefixed global variable
#5329Flipbox8014172k+wp function not compatible with requires wp
#5330Headless Mode80702k+Unsafe printing function
#5331Hizzle CAPTCHA – Protect your forms from spam80427500Non-prefixed global variable
#5332Image Captcha For Gravity Forms802010400Text Domain Mismatch
#5333Leadinfo801187k+Missing direct file access protection
#5334Mu Manager – Manage mu-plugins like standard plugins802118800Missing Arg Domain
#5335Nudgify Social Proof80312500Discouraged PHP function
#5336Offcanvas Mobile Menu80227800Missing direct file access protection
#5337Oomph Hidden Tags80132400Missing Arg Domain
#5338Panda Video8029173k+Non-prefixed global variable
#5339Parallax Image80612k+Missing direct file access protection
#5340Plugin Toggle80212500Nonce verification recommended
#5341Pro Mime Types – Manage file media types8055982k+Non-prefixed global variable
#5342Publish View80126500Missing nonce verification
#5343Quick Edit Yoast SEO80512900Request data is not unslashed
#5344RealHomes Currency Switcher8071421k+Non Singular String Literal Domain
#5345Rich Contact Widget801329k+Output is not escaped
#5346Smart Passworded Pages801182k+wp function not compatible with requires wp
#5347SteadFast API802238k+Non-prefixed global variable
#5348Mini Cart Drawer For WooCommerce80425400Non-prefixed hook name
#5349Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce80945080k+Non-prefixed hook name
#5350Gift Wrapper for WooCommerce801111252k+Text Domain Mismatch