missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5601 | Astra Widgets | 86 | 10 | 15 | 200k+ | Missing direct file access protection | ||
| #5602 | Blockly – Gutenberg Blocks | 86 | 6 | 17 | 600 | Non-prefixed constant | ||
| #5603 | Browser Screenshots | 86 | 15 | 3 | 3k+ | wp function not compatible with requires wp | ||
| #5604 | Catch Breadcrumb | 86 | 1 | 29 | 2k+ | Non-prefixed global variable | ||
| #5605 | CBX User Online & Last Login | 86 | 3 | 87 | 800 | Non-prefixed global variable | ||
| #5606 | CMB2 Field Type: Font Awesome | 86 | 10 | 1 | 400 | Offloaded Content | ||
| #5607 | Counters Block – Animated Number Counters, Stats & Dynamic KPIs | 86 | 5 | 14 | 3k+ | Missing direct file access protection | ||
| #5608 | Custom Content Width | 86 | 8 | 0 | 1k+ | Text Domain Mismatch | ||
| #5609 | Helpful – Article Feedback Plugin | 86 | 8 | 17 | 600 | Database parameter is not escaped | ||
| #5610 | Debug Bar Actions and Filters Addon | 86 | 6 | 4 | 400 | Forbidden PHP function found | ||
| #5611 | Eazy Under Construction | 86 | 82 | 0 | 600 | wp function not compatible with requires wp | ||
| #5612 | Twice Commerce – Easy Rental Booking System | 86 | 9 | 1 | 400 | Output is not escaped | ||
| #5613 | Extra Styling for MemberPress | 86 | 64 | 7 | 500 | Text Domain Mismatch | ||
| #5614 | Feed JSON | 86 | 9 | 15 | 500 | Non-prefixed global variable | ||
| #5615 | FormsCRM – Connect Forms to CRM directly | 86 | 5 | 8 | 1k+ | Missing direct file access protection | ||
| #5616 | GN Publisher: Google News Compatible RSS Feeds | 86 | 76 | 6 | 20k+ | wp function not compatible with requires wp | ||
| #5617 | Hotfix | 86 | 11 | 8 | 4k+ | Deprecated class: services_json | ||
| #5618 | HT Newsletter for Elementor | 86 | 53 | 3 | 700 | Text Domain Mismatch | ||
| #5619 | Getnet Argentina para WooCommerce | 86 | 14 | 9 | 500 | Text Domain Mismatch | ||
| #5620 | Latest Posts Block – Dynamic Posts Grid, Posts List, Posts Tile with Stunning Layouts for WordPress Blogs & Pages | 86 | 9 | 8 | 7k+ | Missing Version | ||
| #5621 | lazysizes | 86 | 12 | 3 | 600 | wp function not compatible with requires wp | ||
| #5622 | LWS Affiliation | 86 | 8 | 23 | 700 | Missing nonce verification | ||
| #5623 | Shoppable Images (Lookbook) for WooCommerce | 86 | 21 | 31 | 6k+ | Missing direct file access protection | ||
| #5624 | Magni Image Flip For WooCommerce | 86 | 24 | 8 | 700 | Text Domain Mismatch | ||
| #5625 | Mailchimp List Subscribe Form | 86 | 22 | 156 | 60k+ | Non-prefixed global variable | ||
| #5626 | Add post thumbnail to wp-admin list view | 86 | 5 | 5 | 400 | Nonce verification recommended | ||
| #5627 | Modern Cart – WooCommerce Side Cart & Popup Cart | 86 | 8 | 95 | 50k+ | Non-prefixed global variable | ||
| #5628 | Nice page transition | 86 | 4 | 12 | 1k+ | Direct Query | ||
| #5629 | NS Featured Posts | 86 | 2 | 15 | 4k+ | Nonce verification recommended | ||
| #5630 | AI for Home Services | 86 | 8 | 5 | 700 | Setting is missing a sanitization callback | ||
| #5631 | Ocean Product Sharing | 86 | 9 | 18 | 20k+ | Non-prefixed global variable | ||
| #5632 | PageView | 86 | 17 | 2 | 1k+ | wp function not compatible with requires wp | ||
| #5633 | Printus – Automatic Cloud Printing for WooCommerce | 86 | 28 | 20 | 800 | Missing Arg Domain | ||
| #5634 | Product Enquiry for WooCommerce (Now with AI Assistant) | 86 | 6 | 146 | 10k+ | Non-prefixed global variable | ||
| #5635 | ShopBuilder – WooCommerce Builder For Elementor | 86 | 9 | 414 | 10k+ | Non-prefixed global variable | ||
| #5636 | Social Divi | 86 | 15 | 8 | 1k+ | Missing direct file access protection | ||
| #5637 | Socials Ignited | 86 | 12 | 2 | 2k+ | Missing direct file access protection | ||
| #5638 | Subtitles | 86 | 4 | 9 | 3k+ | Non-prefixed hook name | ||
| #5639 | Thank you page viewer for Woocommerce | 86 | 6 | 3 | 500 | Output is not escaped | ||
| #5640 | Title Remover | 86 | 7 | 5 | 70k+ | wp function not compatible with requires wp | ||
| #5641 | Ultimate Markdown – Markdown Editor, Importer, & Exporter | 86 | 6 | 15 | 2k+ | Database parameter is not escaped | ||
| #5642 | Unlimited Theme Addon For Elementor | 86 | 74 | 68 | 600 | Missing direct file access protection | ||
| #5643 | Update Notifier | 86 | 8 | 1 | 700 | Output is not escaped | ||
| #5644 | Variation Swatches for WooCommerce – Color, Image & Size Swatches | 86 | 2 | 17 | 200k+ | Request data is not unslashed | ||
| #5645 | WC MyParcel Belgium | 86 | 340 | 79 | 600 | Text Domain Mismatch | ||
| #5646 | Microsoft Azure Storage for WordPress | 86 | 25 | 26 | 2k+ | Missing Translators Comment | ||
| #5647 | Custom Add To Cart Button for WooCommerce | 86 | 11 | 3 | 10k+ | Output is not escaped | ||
| #5648 | WordClever – AI Content Writer | 86 | 4 | 2 | 3k+ | Missing direct file access protection | ||
| #5649 | WP Consent API | 86 | 2 | 10 | 200k+ | Input is not sanitized | ||
| #5650 | WP Image Size Limit | 86 | 7 | 6 | 3k+ | Output is not escaped |