missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5401Free Shipping Bar for WooCommerce815212k+Non-prefixed global variable
#5402Bulk Order Form for WooCommerce81898900Non-prefixed hook name
#5403Require Login81912500Non-prefixed function
#5404WP Subtitle8173310k+Non-prefixed hook name
#5405Accordion Toggle8217112k+Non-prefixed class
#5406Add New Default Avatar82210500Output is not escaped
#5407Admin Collapse Subpages824124k+Nonce verification recommended
#5408Advance Canonical URL823101k+Input is not validated
#5409Agent Image News821112k+Output is not escaped
#5410Block AI Crawlers8222361k+Non-prefixed global variable
#5411BlogVault Backup & Staging82532280k+Missing direct file access protection
#5412Cloudways WordPress Migrator826920k+Database parameter is not escaped
#5413Catch Gallery8213510k+Non-prefixed hook name
#5414Colibri Page Builder821383190k+Missing direct file access protection
#5415Custom 404 Error Page821231k+Text Domain Mismatch
#5416Timber Debug Bar82120600Output is not escaped
#5417Editor Blocks for Gutenberg8268700Missing direct file access protection
#5418Genesis eNews Extended829140k+Output is not escaped
#5419Easy Genesis Logo Uploader82185400Output is not escaped
#5420Hostinger Tools8213223m+wp function not compatible with requires wp
#5421Iknow Extra8265400Missing direct file access protection
#5422Image Gallery Block8213103k+wp function not compatible with requires wp
#5423Independent Analytics for MainWP82713700Nonce verification recommended
#5424Infobox8215121k+file system operations mkdir
#5425Japanese Proofreading Preview82115400Nonce verification recommended
#5426Link Juice Optimizer821266k+Output is not escaped
#5427MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall825522200k+Missing direct file access protection
#5428Meks Smart Social Widget8210210k+Output is not escaped
#5429Metricool – Social media and site statistics829480k+Exception output is not escaped
#5430Multiple Form Instances Add-on for Gravity Forms8255800Missing direct file access protection
#5431MyBookTable Bookstore by Stormhill Media8216341k+Direct Query
#5432mypace Custom Meta Robots82462k+Input is not sanitized
#5433Parallax Slider Block821512900file system operations mkdir
#5434Preferred Languages82362k+Input is not sanitized
#5435Property Hive Rental Yield Calculator82162400Text Domain Mismatch
#5436Regenerate Thumbnails821091m+Direct Query
#5437WordPress REST API (Version 2)824761310k+Missing Arg Domain
#5438Seriously Simple Transcripts82353900Text Domain Mismatch
#5439Simple ads.txt82861k+Missing direct file access protection
#5440Simple Page Ordering82119100k+Missing Arg Domain
#5441SiteNarrator Text-to-Speech Widget82124800Output is not escaped
#5442Image Slider Block8213143k+wp function not compatible with requires wp
#5443SmartVideo – Video Player and CDN82366491k+Text Domain Mismatch
#5444SnapWidget Social Photo Feed Widget8299600Output is not escaped
#5445Sticky Content – Make Any Section Sticky on Scroll82249400Text Domain Mismatch
#5446Stop Emails82935k+Missing direct file access protection
#5447Sucuri Security – Auditing, Malware Scanner and Security Hardening825111600k+Missing direct file access protection
#5448Super Web Share – Native Social Sharing Button8224192k+Non-prefixed function
#5449Tabs in Post Editor8247500Input is not validated
#5450Tasty Recipes Lite827662k+Non-prefixed global variable