missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5451 | Testimonial Block | 82 | 13 | 12 | 500 | wp function not compatible with requires wp | ||
| #5452 | Unyson WooComerce Shortcodes | 82 | 117 | 11 | 1k+ | Text Domain Mismatch | ||
| #5453 | Visual Term Description Editor | 82 | 11 | 5 | 10k+ | Missing Arg Domain | ||
| #5454 | Wicked Block Conditions | 82 | 6 | 6 | 600 | Nonce verification recommended | ||
| #5455 | Extra Price Fields for Woocommerce- Display extra price info on Woocommerce products | 82 | 6 | 10 | 2k+ | Missing nonce verification | ||
| #5456 | WP Copy Content Protection | 82 | 7 | 6 | 600 | Output is not escaped | ||
| #5457 | Search Insights – Privacy-Friendly Search Analytics | 82 | 7 | 50 | 3k+ | Non-prefixed global variable | ||
| #5458 | The WP Remote WordPress Plugin | 82 | 51 | 24 | 30k+ | Missing direct file access protection | ||
| #5459 | Xpro Theme Builder For Elementor – FREE | 82 | 14 | 28 | 10k+ | Missing direct file access protection | ||
| #5460 | Flexible Content Extended for Advanced Custom Fields | 83 | 11 | 4 | 600 | Output is not escaped | ||
| #5461 | Add To Cart Button Customizations | 83 | 66 | 14 | 400 | Text Domain Mismatch | ||
| #5462 | Admin in English | 83 | 4 | 7 | 1k+ | Input is not sanitized | ||
| #5463 | Change WordPress Login Logo | 83 | 5 | 9 | 20k+ | Non-prefixed function | ||
| #5464 | Check Conflicts | 83 | 36 | 12 | 1k+ | Missing Arg Domain | ||
| #5465 | Code Click to Copy | 83 | 12 | 9 | 700 | Non-prefixed function | ||
| #5466 | Custom CSS and JS | 83 | 11 | 1 | 900 | Output is not escaped | ||
| #5467 | Easy Flash Embed | 83 | 9 | 1 | 900 | Output is not escaped | ||
| #5468 | Event Organiser Posterboard | 83 | 3 | 11 | 1k+ | Nonce verification recommended | ||
| #5469 | Export emails | 83 | 8 | 7 | 500 | Direct Query | ||
| #5470 | Featured Image Column | 83 | 12 | 2 | 2k+ | Output is not escaped | ||
| #5471 | GET Params | 83 | 3 | 8 | 1k+ | Nonce verification recommended | ||
| #5472 | Date Time Field Add-On for Gravity Form | 83 | 16 | 1 | 1k+ | Output is not escaped | ||
| #5473 | Starter Templates by Gradient Themes | 83 | 27 | 7 | 3k+ | Text Domain Mismatch | ||
| #5474 | HREFLANG Tags Management By Webnow | 83 | 2 | 34 | 600 | Non-prefixed global variable | ||
| #5475 | Login Logo | 83 | 10 | 0 | 40k+ | Output is not escaped | ||
| #5476 | Mailster SendGrid Integration | 83 | 23 | 3 | 1k+ | Missing Translators Comment | ||
| #5477 | Mammoth .docx converter | 83 | 11 | 0 | 20k+ | Output is not escaped | ||
| #5478 | Max upload filesize | 83 | 3 | 8 | 9k+ | Input is not validated | ||
| #5479 | Add menu separators to navigation | 83 | 8 | 7 | 900 | Non-prefixed hook name | ||
| #5480 | morkva UA Shipping | 83 | 1,261 | 10 | 1k+ | Text Domain Mismatch | ||
| #5481 | Mouseflow for WordPress | 83 | 9 | 8 | 7k+ | Output is not escaped | ||
| #5482 | NETSENSAI Shield | 83 | 10 | 16 | 1k+ | Nonce verification recommended | ||
| #5483 | oik-privacy-policy | 83 | 14 | 42 | 700 | No Html Wrapped Strings | ||
| #5484 | Optimize Images Resizing | 83 | 12 | 4 | 6k+ | Unsafe printing function | ||
| #5485 | PDF Generator for WordPress | 83 | 10 | 198 | 1k+ | Non-prefixed global variable | ||
| #5486 | Easy Photography Portfolio | 83 | 38 | 33 | 2k+ | Missing direct file access protection | ||
| #5487 | Photospace Responsive Gallery | 83 | 115 | 14 | 900 | Text Domain Mismatch | ||
| #5488 | PlugVersions – Easily roll back to previous versions of your plugins. | 83 | 9 | 6 | 1k+ | Request data is not unslashed | ||
| #5489 | Post Meta Inspector | 83 | 6 | 1 | 2k+ | Unsafe printing function | ||
| #5490 | Post Views for Jetpack | 83 | 12 | 3 | 1k+ | Output is not escaped | ||
| #5491 | Preserve Editor Scroll Position | 83 | 2 | 6 | 4k+ | Missing nonce verification | ||
| #5492 | Fixed Widget and Sticky Elements for WordPress | 83 | 7 | 13 | 80k+ | Non-prefixed global variable | ||
| #5493 | Relevanssi Light | 83 | 3 | 23 | 600 | Direct Query | ||
| #5494 | RumbleTalk Live Group Chat – HTML5 | 83 | 9 | 13 | 700 | Missing direct file access protection | ||
| #5495 | Lightweight Sidebar Manager | 83 | 13 | 36 | 80k+ | Non-prefixed class | ||
| #5496 | Simple Share Buttons Adder | 83 | 157 | 202 | 40k+ | Missing direct file access protection | ||
| #5497 | Smartslider | 83 | 13 | 0 | 600 | Output is not escaped | ||
| #5498 | Sticky Header by ThematoSoup | 83 | 20 | 5 | 1k+ | Non Singular String Literal Domain | ||
| #5499 | Swipe Slider – Make dynamic slider with solid, gradient, or image background | 83 | 2 | 15 | 3k+ | Non-prefixed global variable | ||
| #5500 | TCD Classic Editor | 83 | 1 | 11 | 5k+ | Nonce verification recommended |