missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5351 | WP Delete User Accounts | 80 | 10 | 7 | 800 | Missing direct file access protection | ||
| #5352 | WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets | 80 | 26 | 18 | 30k+ | Missing direct file access protection | ||
| #5353 | ActivityPub | 81 | 67 | 305 | 6k+ | Non-prefixed global variable | ||
| #5354 | AI | 81 | 11 | 79 | 30k+ | Non-prefixed global variable | ||
| #5355 | Folder Excluder for AIO WP Migration | 81 | 8 | 5 | 1k+ | Non-prefixed function | ||
| #5356 | Auto iFrame | 81 | 2 | 11 | 3k+ | Input is not sanitized | ||
| #5357 | Auto Post Expiration | 81 | 12 | 4 | 800 | Text Domain Mismatch | ||
| #5358 | Great Restaurant Menu WP | 81 | 89 | 100 | 1k+ | Text Domain Mismatch | ||
| #5359 | Ceylon Demo Installer | 81 | 11 | 9 | 400 | Non-prefixed function | ||
| #5360 | Cf7 Icons and Labels | 81 | 16 | 4 | 500 | Text Domain Mismatch | ||
| #5361 | Change Permalink Helper | 81 | 5 | 5 | 900 | Direct Query | ||
| #5362 | Checklist in Post | 81 | 14 | 7 | 400 | Missing Version | ||
| #5363 | Column Ordering For Elementor | 81 | 21 | 6 | 1k+ | Text Domain Mismatch | ||
| #5364 | cookie-cat | 81 | 14 | 27 | 1k+ | Non-prefixed function | ||
| #5365 | Countdown Block | 81 | 14 | 10 | 4k+ | wp function not compatible with requires wp | ||
| #5366 | Custom Login Css | 81 | 10 | 0 | 400 | Missing direct file access protection | ||
| #5367 | Disable Gutenberg Blocks – Block Manager | 81 | 6 | 10 | 3k+ | trademarked term | ||
| #5368 | eCommerce Shipping Dashboard by UPS for WooCommerce | 81 | 6 | 35 | 1k+ | Non-prefixed constant | ||
| #5369 | ElasticPress | 81 | 13 | 655 | 8k+ | Non-prefixed hook name | ||
| #5370 | External Thumbnail | 81 | 6 | 5 | 20k+ | Missing nonce verification | ||
| #5371 | Faster Pagination | 81 | 11 | 0 | 1k+ | Output is not escaped | ||
| #5372 | Fullwidth Templates for Any Theme & Page Builder | 81 | 12 | 23 | 20k+ | Non-prefixed constant | ||
| #5373 | Gravity Forms CLI Add-On | 81 | 31 | 4 | 20k+ | Missing direct file access protection | ||
| #5374 | GSheetConnector for Elementor Forms – Sync Elementor Forms to Google Sheets | 81 | 11 | 12 | 9k+ | Non-prefixed global variable | ||
| #5375 | GIFTiT – Free Gifts for WooCommerce | 81 | 43 | 357 | 2k+ | Non-prefixed global variable | ||
| #5376 | JivoChat Live Chat – WP live chat plugin for WordPress | 81 | 27 | 13 | 20k+ | wp function not compatible with requires wp | ||
| #5377 | LoftLoader | 81 | 17 | 19 | 70k+ | Missing direct file access protection | ||
| #5378 | Max Mega Menu – StoreFront Integration | 81 | 12 | 2 | 2k+ | Text Domain Mismatch | ||
| #5379 | Migrate Guru – Site Migration & Cloning | 81 | 7 | 8 | 200k+ | Database parameter is not escaped | ||
| #5380 | Nice Search | 81 | 4 | 5 | 900 | Input is not sanitized | ||
| #5381 | OG — Better Share on Social Media | 81 | 14 | 51 | 30k+ | Non-prefixed hook name | ||
| #5382 | Order Approval for Woocommerce | 81 | 3 | 208 | 1k+ | Non-prefixed global variable | ||
| #5383 | Page Excerpt | 81 | 11 | 1 | 3k+ | Missing Arg Domain | ||
| #5384 | Pagebar2 | 81 | 19 | 37 | 900 | Non-prefixed global variable | ||
| #5385 | Payfast Gateway for WooCommerce | 81 | 2 | 18 | 2k+ | Missing nonce verification | ||
| #5386 | Portfolio Block – The Ultimate Project & Portfolio Builder | 81 | 6 | 5 | 800 | Offloaded Content | ||
| #5387 | Post Type Archive Descriptions | 81 | 11 | 4 | 1k+ | Missing direct file access protection | ||
| #5388 | Price Table Block | 81 | 15 | 16 | 900 | file system operations mkdir | ||
| #5389 | Progress Bars | 81 | 15 | 14 | 500 | file system operations mkdir | ||
| #5390 | Recent Posts FlexSlider | 81 | 13 | 1 | 800 | Output is not escaped | ||
| #5391 | Redirect by Custom Field | 81 | 5 | 6 | 600 | Nonce verification recommended | ||
| #5392 | Select and Multi-Select Field for Contact Form 7 | 81 | 25 | 12 | 2k+ | Text Domain Mismatch | ||
| #5393 | Simple Page Redirect | 81 | 3 | 7 | 10k+ | Request data is not unslashed | ||
| #5394 | Simple Site Map Page | 81 | 9 | 1 | 4k+ | Output is not escaped | ||
| #5395 | Loops & Logic | 81 | 11 | 3 | 2k+ | Missing direct file access protection | ||
| #5396 | Team Member Block | 81 | 15 | 14 | 1k+ | file system operations mkdir | ||
| #5397 | Timed Content For Beaver Builder | 81 | 29 | 8 | 1k+ | date date | ||
| #5398 | Toggle Content | 81 | 16 | 12 | 700 | file system operations mkdir | ||
| #5399 | Typing Text | 81 | 15 | 16 | 600 | file system operations mkdir | ||
| #5400 | Appointment Bookings for Zoom GoogleMeet and more – Wappointment | 81 | 22 | 52 | 1k+ | Non-prefixed class |