missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5601Astra Widgets861015200k+Missing direct file access protection
#5602Blockly – Gutenberg Blocks86617600Non-prefixed constant
#5603Browser Screenshots861533k+wp function not compatible with requires wp
#5604Catch Breadcrumb861292k+Non-prefixed global variable
#5605CBX User Online & Last Login86387800Non-prefixed global variable
#5606CMB2 Field Type: Font Awesome86101400Offloaded Content
#5607Counters Block – Animated Number Counters, Stats & Dynamic KPIs865143k+Missing direct file access protection
#5608Custom Content Width86801k+Text Domain Mismatch
#5609Helpful – Article Feedback Plugin86817600Database parameter is not escaped
#5610Debug Bar Actions and Filters Addon8664400Forbidden PHP function found
#5611Eazy Under Construction86820600wp function not compatible with requires wp
#5612Twice Commerce – Easy Rental Booking System8691400Output is not escaped
#5613Extra Styling for MemberPress86647500Text Domain Mismatch
#5614Feed JSON86915500Non-prefixed global variable
#5615FormsCRM – Connect Forms to CRM directly86581k+Missing direct file access protection
#5616GN Publisher: Google News Compatible RSS Feeds8676620k+wp function not compatible with requires wp
#5617Hotfix861184k+Deprecated class: services_json
#5618HT Newsletter for Elementor86533700Text Domain Mismatch
#5619Getnet Argentina para WooCommerce86149500Text Domain Mismatch
#5620Latest Posts Block – Dynamic Posts Grid, Posts List, Posts Tile with Stunning Layouts for WordPress Blogs & Pages86987k+Missing Version
#5621lazysizes86123600wp function not compatible with requires wp
#5622LWS Affiliation86823700Missing nonce verification
#5623Shoppable Images (Lookbook) for WooCommerce8621316k+Missing direct file access protection
#5624Magni Image Flip For WooCommerce86248700Text Domain Mismatch
#5625Mailchimp List Subscribe Form862215660k+Non-prefixed global variable
#5626Add post thumbnail to wp-admin list view8655400Nonce verification recommended
#5627Modern Cart – WooCommerce Side Cart & Popup Cart8689550k+Non-prefixed global variable
#5628Nice page transition864121k+Direct Query
#5629NS Featured Posts862154k+Nonce verification recommended
#5630AI for Home Services8685700Setting is missing a sanitization callback
#5631Ocean Product Sharing8691820k+Non-prefixed global variable
#5632PageView861721k+wp function not compatible with requires wp
#5633Printus – Automatic Cloud Printing for WooCommerce862820800Missing Arg Domain
#5634Product Enquiry for WooCommerce (Now with AI Assistant)86614610k+Non-prefixed global variable
#5635ShopBuilder – WooCommerce Builder For Elementor86941410k+Non-prefixed global variable
#5636Social Divi861581k+Missing direct file access protection
#5637Socials Ignited861222k+Missing direct file access protection
#5638Subtitles86493k+Non-prefixed hook name
#5639Thank you page viewer for Woocommerce8663500Output is not escaped
#5640Title Remover867570k+wp function not compatible with requires wp
#5641Ultimate Markdown – Markdown Editor, Importer, & Exporter866152k+Database parameter is not escaped
#5642Unlimited Theme Addon For Elementor867468600Missing direct file access protection
#5643Update Notifier8681700Output is not escaped
#5644Variation Swatches for WooCommerce – Color, Image & Size Swatches86217200k+Request data is not unslashed
#5645WC MyParcel Belgium8634079600Text Domain Mismatch
#5646Microsoft Azure Storage for WordPress8625262k+Missing Translators Comment
#5647Custom Add To Cart Button for WooCommerce8611310k+Output is not escaped
#5648WordClever – AI Content Writer86423k+Missing direct file access protection
#5649WP Consent API86210200k+Input is not sanitized
#5650WP Image Size Limit86763k+Output is not escaped