missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5301 | Related Products Manager for WooCommerce | 79 | 9 | 43 | 1k+ | Non-prefixed global variable | ||
| #5302 | Remove Category URL – Remove 'category' base from category permalinks | 79 | 5 | 8 | 50k+ | Missing direct file access protection | ||
| #5303 | Remove noreferrer | 79 | 17 | 14 | 5k+ | Missing Arg Domain | ||
| #5304 | Responsive Mobile-Friendly Tooltip | 79 | 25 | 14 | 600 | Missing Arg Domain | ||
| #5305 | Retainful – WooCommerce Abandoned Cart, Newsletters, Email Marketing, Signup Forms and Automation | 79 | 15 | 26 | 1k+ | Non-prefixed hook name | ||
| #5306 | Search engines blocked warning | 79 | 20 | 3 | 500 | Output is not escaped | ||
| #5307 | Sellbrite | 79 | 18 | 4 | 500 | Short PHP open tag found | ||
| #5308 | SSH SFTP Updater Support | 79 | 6 | 31 | 10k+ | Non-prefixed global variable | ||
| #5309 | SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers | 79 | 45 | 66 | 200k+ | Non-prefixed hook name | ||
| #5310 | Visual Editor Biography | 79 | 11 | 3 | 900 | Missing Arg Domain | ||
| #5311 | WooCommerce Grid / List toggle | 79 | 10 | 12 | 10k+ | Output is not escaped | ||
| #5312 | Notifima – WooCommerce Stock Manager, Inventory Management, Waitlist | 79 | 121 | 42 | 3k+ | Text Domain Mismatch | ||
| #5313 | WP Last Modified Info | 79 | 45 | 32 | 40k+ | Short PHP open tag found | ||
| #5314 | New Relic Reporting for WordPress | 79 | 4 | 16 | 600 | Nonce verification recommended | ||
| #5315 | WP Permastructure | 79 | 14 | 6 | 400 | Missing Arg Domain | ||
| #5316 | WP Referral Code | 79 | 18 | 19 | 600 | Missing direct file access protection | ||
| #5317 | WPMagPlus Companion | 79 | 104 | 16 | 700 | Text Domain Mismatch | ||
| #5318 | Яндекс Метрика | 79 | 10 | 4 | 10k+ | Unsafe printing function | ||
| #5319 | YITH Maintenance Mode | 79 | 19 | 63 | 5k+ | Non-prefixed global variable | ||
| #5320 | Elementor Blocks for Gutenberg | 80 | 7 | 6 | 10k+ | Output is not escaped | ||
| #5321 | Button | 80 | 65 | 28 | 2k+ | Text Domain Mismatch | ||
| #5322 | Buttons to Edit Next/Previous Post | 80 | 12 | 1 | 1k+ | Output is not escaped | ||
| #5323 | Interlinks Manager – Internal Links Optimizer | 80 | 17 | 13 | 7k+ | Database parameter is not escaped | ||
| #5324 | Docxpresso | 80 | 9 | 14 | 2k+ | Input is not sanitized | ||
| #5325 | Easy Charts | 80 | 13 | 28 | 1k+ | Non-prefixed global variable | ||
| #5326 | Extended Title Remover | 80 | 14 | 4 | 1k+ | wp function not compatible with requires wp | ||
| #5327 | Falang for Elementor Lite | 80 | 8 | 1 | 400 | Exception output is not escaped | ||
| #5328 | Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later | 80 | 21 | 25 | 800 | Non-prefixed global variable | ||
| #5329 | Flipbox | 80 | 14 | 17 | 2k+ | wp function not compatible with requires wp | ||
| #5330 | Headless Mode | 80 | 7 | 0 | 2k+ | Unsafe printing function | ||
| #5331 | Hizzle CAPTCHA – Protect your forms from spam | 80 | 4 | 27 | 500 | Non-prefixed global variable | ||
| #5332 | Image Captcha For Gravity Forms | 80 | 20 | 10 | 400 | Text Domain Mismatch | ||
| #5333 | Leadinfo | 80 | 11 | 8 | 7k+ | Missing direct file access protection | ||
| #5334 | Mu Manager – Manage mu-plugins like standard plugins | 80 | 21 | 18 | 800 | Missing Arg Domain | ||
| #5335 | Nudgify Social Proof | 80 | 3 | 12 | 500 | Discouraged PHP function | ||
| #5336 | Offcanvas Mobile Menu | 80 | 22 | 7 | 800 | Missing direct file access protection | ||
| #5337 | Oomph Hidden Tags | 80 | 13 | 2 | 400 | Missing Arg Domain | ||
| #5338 | Panda Video | 80 | 29 | 17 | 3k+ | Non-prefixed global variable | ||
| #5339 | Parallax Image | 80 | 6 | 1 | 2k+ | Missing direct file access protection | ||
| #5340 | Plugin Toggle | 80 | 2 | 12 | 500 | Nonce verification recommended | ||
| #5341 | Pro Mime Types – Manage file media types | 80 | 55 | 98 | 2k+ | Non-prefixed global variable | ||
| #5342 | Publish View | 80 | 12 | 6 | 500 | Missing nonce verification | ||
| #5343 | Quick Edit Yoast SEO | 80 | 5 | 12 | 900 | Request data is not unslashed | ||
| #5344 | RealHomes Currency Switcher | 80 | 71 | 42 | 1k+ | Non Singular String Literal Domain | ||
| #5345 | Rich Contact Widget | 80 | 13 | 2 | 9k+ | Output is not escaped | ||
| #5346 | Smart Passworded Pages | 80 | 11 | 8 | 2k+ | wp function not compatible with requires wp | ||
| #5347 | SteadFast API | 80 | 2 | 23 | 8k+ | Non-prefixed global variable | ||
| #5348 | Mini Cart Drawer For WooCommerce | 80 | 4 | 25 | 400 | Non-prefixed hook name | ||
| #5349 | Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce | 80 | 9 | 450 | 80k+ | Non-prefixed hook name | ||
| #5350 | Gift Wrapper for WooCommerce | 80 | 111 | 125 | 2k+ | Text Domain Mismatch |