missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5451Testimonial Block821312500wp function not compatible with requires wp
#5452Unyson WooComerce Shortcodes82117111k+Text Domain Mismatch
#5453Visual Term Description Editor8211510k+Missing Arg Domain
#5454Wicked Block Conditions8266600Nonce verification recommended
#5455Extra Price Fields for Woocommerce- Display extra price info on Woocommerce products826102k+Missing nonce verification
#5456WP Copy Content Protection8276600Output is not escaped
#5457Search Insights – Privacy-Friendly Search Analytics827503k+Non-prefixed global variable
#5458The WP Remote WordPress Plugin82512430k+Missing direct file access protection
#5459Xpro Theme Builder For Elementor – FREE82142810k+Missing direct file access protection
#5460Flexible Content Extended for Advanced Custom Fields83114600Output is not escaped
#5461Add To Cart Button Customizations836614400Text Domain Mismatch
#5462Admin in English83471k+Input is not sanitized
#5463Change WordPress Login Logo835920k+Non-prefixed function
#5464Check Conflicts8336121k+Missing Arg Domain
#5465Code Click to Copy83129700Non-prefixed function
#5466Custom CSS and JS83111900Output is not escaped
#5467Easy Flash Embed8391900Output is not escaped
#5468Event Organiser Posterboard833111k+Nonce verification recommended
#5469Export emails8387500Direct Query
#5470Featured Image Column831222k+Output is not escaped
#5471GET Params83381k+Nonce verification recommended
#5472Date Time Field Add-On for Gravity Form831611k+Output is not escaped
#5473Starter Templates by Gradient Themes832773k+Text Domain Mismatch
#5474HREFLANG Tags Management By Webnow83234600Non-prefixed global variable
#5475Login Logo8310040k+Output is not escaped
#5476Mailster SendGrid Integration832331k+Missing Translators Comment
#5477Mammoth .docx converter8311020k+Output is not escaped
#5478Max upload filesize83389k+Input is not validated
#5479Add menu separators to navigation8387900Non-prefixed hook name
#5480morkva UA Shipping831,261101k+Text Domain Mismatch
#5481Mouseflow for WordPress83987k+Output is not escaped
#5482NETSENSAI Shield8310161k+Nonce verification recommended
#5483oik-privacy-policy831442700No Html Wrapped Strings
#5484Optimize Images Resizing831246k+Unsafe printing function
#5485PDF Generator for WordPress83101981k+Non-prefixed global variable
#5486Easy Photography Portfolio8338332k+Missing direct file access protection
#5487Photospace Responsive Gallery8311514900Text Domain Mismatch
#5488PlugVersions – Easily roll back to previous versions of your plugins.83961k+Request data is not unslashed
#5489Post Meta Inspector83612k+Unsafe printing function
#5490Post Views for Jetpack831231k+Output is not escaped
#5491Preserve Editor Scroll Position83264k+Missing nonce verification
#5492Fixed Widget and Sticky Elements for WordPress8371380k+Non-prefixed global variable
#5493Relevanssi Light83323600Direct Query
#5494RumbleTalk Live Group Chat – HTML583913700Missing direct file access protection
#5495Lightweight Sidebar Manager83133680k+Non-prefixed class
#5496Simple Share Buttons Adder8315720240k+Missing direct file access protection
#5497Smartslider83130600Output is not escaped
#5498Sticky Header by ThematoSoup832051k+Non Singular String Literal Domain
#5499Swipe Slider – Make dynamic slider with solid, gradient, or image background832153k+Non-prefixed global variable
#5500TCD Classic Editor831115k+Nonce verification recommended