missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5551 | Auto Subpage Menu | 85 | 5 | 6 | 800 | Database parameter is not escaped | ||
| #5552 | Backlinks Saver | 85 | 3 | 5 | 3k+ | Deprecated parameter value found | ||
| #5553 | Popups – Submission Messages For Contact Form 7 | 85 | 2 | 7 | 3k+ | Input is not sanitized | ||
| #5554 | Fetchify | 85 | 154 | 19 | 600 | Text Domain Mismatch | ||
| #5555 | Comments Import & Export | 85 | 112 | 9 | 2k+ | wp function not compatible with requires wp | ||
| #5556 | Country Dropdown For Contact Form 7 | 85 | 17 | 4 | 800 | Text Domain Mismatch | ||
| #5557 | Custom Classes | 85 | 5 | 8 | 2k+ | Request data is not unslashed | ||
| #5558 | DCO Comment Attachment | 85 | 5 | 5 | 5k+ | Missing nonce verification | ||
| #5559 | Easy UTM Tracking with Contact Form 7 | 85 | 3 | 10 | 2k+ | Input is not validated | ||
| #5560 | reCaptcha Add-On for FormCraft | 85 | 4 | 16 | 7k+ | Missing Version | ||
| #5561 | GamiPress – Leaderboards Include/Exclude Users | 85 | 11 | 3 | 400 | Output is not escaped | ||
| #5562 | GazChap's WooCommerce Auto Category Product Thumbnails | 85 | 4 | 8 | 1k+ | trademarked term | ||
| #5563 | Genesis Easy Columns | 85 | 8 | 1 | 2k+ | Missing direct file access protection | ||
| #5564 | Hello Dolly | 85 | 9 | 2 | 600k+ | Output is not escaped | ||
| #5565 | Hide Any Page | 85 | 8 | 2 | 500 | Output is not escaped | ||
| #5566 | HSTS Ready | 85 | 3 | 11 | 3k+ | Input is not validated | ||
| #5567 | Madquick WP Legal Pages – One Click, 100% Free | 85 | 5 | 55 | 600 | Non-prefixed global variable | ||
| #5568 | Marquee Running Text | 85 | 11 | 7 | 5k+ | Missing direct file access protection | ||
| #5569 | MD5 Media Renamer | 85 | 8 | 19 | 400 | Non-prefixed global variable | ||
| #5570 | No External Links | 85 | 7 | 26 | 5k+ | Database parameter is not escaped | ||
| #5571 | News Element Elementor Blog Magazine | 85 | 174 | 695 | 400 | Non-prefixed global variable | ||
| #5572 | Payment Integration Wompi | 85 | 44 | 11 | 1k+ | Missing Arg Domain | ||
| #5573 | PlayerJS – Free Custom HTML5 Video and Audio Player Builder | 85 | 1 | 13 | 1k+ | Missing Version | ||
| #5574 | Popup Message Notifier for Contact Form 7 | 85 | 17 | 2 | 1k+ | Short PHP open tag found | ||
| #5575 | Portfolios | 85 | 10 | 2 | 700 | Output is not escaped | ||
| #5576 | Power Captcha reCAPTCHA | 85 | 4 | 7 | 1k+ | Database parameter is not escaped | ||
| #5577 | Pronamic Google Maps | 85 | 24 | 18 | 1k+ | Non-prefixed global variable | ||
| #5578 | LocaliQ – Tracking Code | 85 | 11 | 11 | 2k+ | Non-prefixed function | ||
| #5579 | Referrer Input for Contact Form 7 | 85 | 39 | 2 | 500 | wp function not compatible with requires wp | ||
| #5580 | Remove Footer Credit | 85 | 7 | 31 | 70k+ | Non-prefixed global variable | ||
| #5581 | Review widget addon for Elementor | 85 | 8 | 9 | 1k+ | Non-prefixed function | ||
| #5582 | Smoothscroller | 85 | 9 | 2 | 500 | Output is not escaped | ||
| #5583 | States, Cities, and Places for WooCommerce | 85 | 101 | 192 | 6k+ | Non-prefixed global variable | ||
| #5584 | Stock market charts from finviz | 85 | 8 | 1 | 400 | Missing Arg Domain | ||
| #5585 | The Excerpt re-reloaded | 85 | 7 | 0 | 600 | Output is not escaped | ||
| #5586 | TinyMCE Color Picker | 85 | 2 | 7 | 1k+ | Input is not sanitized | ||
| #5587 | Vanilla PDF Embed | 85 | 8 | 3 | 3k+ | parse url parse url | ||
| #5588 | VK Blocks | 85 | 79 | 4 | 100k+ | Missing direct file access protection | ||
| #5589 | Widget CSS Classes | 85 | 47 | 8 | 80k+ | Non Singular String Literal Domain | ||
| #5590 | Free Shipping Per Product for WooCommerce | 85 | 21 | 3 | 3k+ | Text Domain Mismatch | ||
| #5591 | All Currencies for WooCommerce | 85 | 17 | 3 | 1k+ | Missing Translators Comment | ||
| #5592 | WP fail2ban Add-on for Contact Form 7 | 85 | 10 | 18 | 800 | Non-prefixed constant | ||
| #5593 | WP fail2ban Add-on for Gravity Forms | 85 | 10 | 18 | 600 | Non-prefixed constant | ||
| #5594 | WP Protect Content | 85 | 7 | 7 | 1k+ | Output is not escaped | ||
| #5595 | WP Revisions Control | 85 | 9 | 6 | 40k+ | wp function not compatible with requires wp | ||
| #5596 | Yuma Companion | 85 | 10 | 7 | 400 | Missing direct file access protection | ||
| #5597 | Zoho Forms – Drag & Drop Form Builder for Websites – Contact Forms, Payment Forms, Order Forms & More | 85 | 16 | 2 | 10k+ | Non Enqueued Script | ||
| #5598 | Featured image to All-Posts | 86 | 6 | 5 | 400 | Nonce verification recommended | ||
| #5599 | Advanced Queries | 86 | 6 | 11 | 10k+ | Non-prefixed constant | ||
| #5600 | AM LottiePlayer | 86 | 5 | 12 | 800 | Non-prefixed global variable |