missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5401 | Free Shipping Bar for WooCommerce | 81 | 5 | 21 | 2k+ | Non-prefixed global variable | ||
| #5402 | Bulk Order Form for WooCommerce | 81 | 8 | 98 | 900 | Non-prefixed hook name | ||
| #5403 | Require Login | 81 | 9 | 12 | 500 | Non-prefixed function | ||
| #5404 | WP Subtitle | 81 | 7 | 33 | 10k+ | Non-prefixed hook name | ||
| #5405 | Accordion Toggle | 82 | 17 | 11 | 2k+ | Non-prefixed class | ||
| #5406 | Add New Default Avatar | 82 | 21 | 0 | 500 | Output is not escaped | ||
| #5407 | Admin Collapse Subpages | 82 | 4 | 12 | 4k+ | Nonce verification recommended | ||
| #5408 | Advance Canonical URL | 82 | 3 | 10 | 1k+ | Input is not validated | ||
| #5409 | Agent Image News | 82 | 11 | 1 | 2k+ | Output is not escaped | ||
| #5410 | Block AI Crawlers | 82 | 22 | 36 | 1k+ | Non-prefixed global variable | ||
| #5411 | BlogVault Backup & Staging | 82 | 53 | 22 | 80k+ | Missing direct file access protection | ||
| #5412 | Cloudways WordPress Migrator | 82 | 6 | 9 | 20k+ | Database parameter is not escaped | ||
| #5413 | Catch Gallery | 82 | 1 | 35 | 10k+ | Non-prefixed hook name | ||
| #5414 | Colibri Page Builder | 82 | 138 | 31 | 90k+ | Missing direct file access protection | ||
| #5415 | Custom 404 Error Page | 82 | 12 | 3 | 1k+ | Text Domain Mismatch | ||
| #5416 | Timber Debug Bar | 82 | 12 | 0 | 600 | Output is not escaped | ||
| #5417 | Editor Blocks for Gutenberg | 82 | 6 | 8 | 700 | Missing direct file access protection | ||
| #5418 | Genesis eNews Extended | 82 | 9 | 1 | 40k+ | Output is not escaped | ||
| #5419 | Easy Genesis Logo Uploader | 82 | 18 | 5 | 400 | Output is not escaped | ||
| #5420 | Hostinger Tools | 82 | 13 | 22 | 3m+ | wp function not compatible with requires wp | ||
| #5421 | Iknow Extra | 82 | 6 | 5 | 400 | Missing direct file access protection | ||
| #5422 | Image Gallery Block | 82 | 13 | 10 | 3k+ | wp function not compatible with requires wp | ||
| #5423 | Independent Analytics for MainWP | 82 | 7 | 13 | 700 | Nonce verification recommended | ||
| #5424 | Infobox | 82 | 15 | 12 | 1k+ | file system operations mkdir | ||
| #5425 | Japanese Proofreading Preview | 82 | 11 | 5 | 400 | Nonce verification recommended | ||
| #5426 | Link Juice Optimizer | 82 | 12 | 6 | 6k+ | Output is not escaped | ||
| #5427 | MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall | 82 | 55 | 22 | 200k+ | Missing direct file access protection | ||
| #5428 | Meks Smart Social Widget | 82 | 10 | 2 | 10k+ | Output is not escaped | ||
| #5429 | Metricool – Social media and site statistics | 82 | 9 | 4 | 80k+ | Exception output is not escaped | ||
| #5430 | Multiple Form Instances Add-on for Gravity Forms | 82 | 5 | 5 | 800 | Missing direct file access protection | ||
| #5431 | MyBookTable Bookstore by Stormhill Media | 82 | 16 | 34 | 1k+ | Direct Query | ||
| #5432 | mypace Custom Meta Robots | 82 | 4 | 6 | 2k+ | Input is not sanitized | ||
| #5433 | Parallax Slider Block | 82 | 15 | 12 | 900 | file system operations mkdir | ||
| #5434 | Preferred Languages | 82 | 3 | 6 | 2k+ | Input is not sanitized | ||
| #5435 | Property Hive Rental Yield Calculator | 82 | 16 | 2 | 400 | Text Domain Mismatch | ||
| #5436 | Regenerate Thumbnails | 82 | 10 | 9 | 1m+ | Direct Query | ||
| #5437 | WordPress REST API (Version 2) | 82 | 476 | 13 | 10k+ | Missing Arg Domain | ||
| #5438 | Seriously Simple Transcripts | 82 | 35 | 3 | 900 | Text Domain Mismatch | ||
| #5439 | Simple ads.txt | 82 | 8 | 6 | 1k+ | Missing direct file access protection | ||
| #5440 | Simple Page Ordering | 82 | 11 | 9 | 100k+ | Missing Arg Domain | ||
| #5441 | SiteNarrator Text-to-Speech Widget | 82 | 12 | 4 | 800 | Output is not escaped | ||
| #5442 | Image Slider Block | 82 | 13 | 14 | 3k+ | wp function not compatible with requires wp | ||
| #5443 | SmartVideo – Video Player and CDN | 82 | 366 | 49 | 1k+ | Text Domain Mismatch | ||
| #5444 | SnapWidget Social Photo Feed Widget | 82 | 9 | 9 | 600 | Output is not escaped | ||
| #5445 | Sticky Content – Make Any Section Sticky on Scroll | 82 | 24 | 9 | 400 | Text Domain Mismatch | ||
| #5446 | Stop Emails | 82 | 9 | 3 | 5k+ | Missing direct file access protection | ||
| #5447 | Sucuri Security – Auditing, Malware Scanner and Security Hardening | 82 | 51 | 11 | 600k+ | Missing direct file access protection | ||
| #5448 | Super Web Share – Native Social Sharing Button | 82 | 24 | 19 | 2k+ | Non-prefixed function | ||
| #5449 | Tabs in Post Editor | 82 | 4 | 7 | 500 | Input is not validated | ||
| #5450 | Tasty Recipes Lite | 82 | 7 | 66 | 2k+ | Non-prefixed global variable |