missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5651 | WP Upload Restriction | 86 | 59 | 16 | 2k+ | Text Domain Mismatch | ||
| #5652 | WP101 Video Tutorial Plugin | 86 | 15 | 18 | 10k+ | Missing direct file access protection | ||
| #5653 | WPUpper Share Buttons | 86 | 4 | 74 | 4k+ | Dynamic hook name | ||
| #5654 | Яндекс Поделиться | 86 | 9 | 4 | 900 | Unsafe printing function | ||
| #5655 | bbPress Enable TinyMCE Visual Tab | 87 | 12 | 4 | 600 | Text Domain Mismatch | ||
| #5656 | Better Addons for Elementor | 87 | 125 | 221 | 4k+ | Non-prefixed global variable | ||
| #5657 | CF7 Google Captcha Load After Page | 87 | 7 | 2 | 2k+ | Output is not escaped | ||
| #5658 | Click To Tweet | 87 | 8 | 7 | 2k+ | trademarked term | ||
| #5659 | Cookie Notice lite | 87 | 3 | 1 | 400 | Missing direct file access protection | ||
| #5660 | SmartText Rotator – Add Motion to Your Words | 87 | 88 | 6 | 1k+ | Text Domain Mismatch | ||
| #5661 | Customizer Search | 87 | 10 | 1 | 50k+ | Missing direct file access protection | ||
| #5662 | Autolinks Manager – SEO Auto Linker | 87 | 7 | 16 | 1k+ | Database parameter is not escaped | ||
| #5663 | Disable User Password Reset Admin Notifications | 87 | 6 | 2 | 1k+ | Nonce verification recommended | ||
| #5664 | Donorbox – Free Recurring Donation Plugin and Fundraising Platform | 87 | 5 | 6 | 8k+ | Missing Arg Domain | ||
| #5665 | Farsi Font for Elementor | 87 | 11 | 2 | 1k+ | Missing Translators Comment | ||
| #5666 | Entry Expiration for Gravity Forms | 87 | 8 | 2 | 1k+ | Missing direct file access protection | ||
| #5667 | GTM Kit – Google Tag Manager & GA4 integration | 87 | 5 | 17 | 30k+ | Missing direct file access protection | ||
| #5668 | Simple Slider Block – Create Sliders From Core Blocks | 87 | 6 | 34 | 600 | Non-prefixed global variable | ||
| #5669 | I Recommend This – Love/Like Button for WordPress Posts | 87 | 3 | 49 | 5k+ | Direct Query | ||
| #5670 | ImageKit – URL based image manipulation and optimization | 87 | 47 | 42 | 1k+ | Non-prefixed global variable | ||
| #5671 | Last Modified Timestamp | 87 | 9 | 3 | 7k+ | Output is not escaped | ||
| #5672 | Livebeep – Chatbot, Live Chat, CRM & Digital Marketing | 87 | 7 | 4 | 400 | Output is not escaped | ||
| #5673 | Manage/View Your Posts Only | 87 | 5 | 3 | 400 | Input is not sanitized | ||
| #5674 | Minimum Purchase Amount For Woo Cart – For WooCommerce | 87 | 72 | 8 | 5k+ | Text Domain Mismatch | ||
| #5675 | NHS Blocks | 87 | 6 | 6 | 900 | Non-prefixed global variable | ||
| #5676 | No Category Base (WPML) | 87 | 5 | 5 | 100k+ | Missing direct file access protection | ||
| #5677 | Bulk Page Generator and Mass Page Builder – Page Generator | 87 | 26 | 87 | 4k+ | Non-prefixed global variable | ||
| #5678 | Parallax Section Block – Add Parallax Scrolling Effects to Sections. | 87 | 3 | 22 | 3k+ | Non-prefixed global variable | ||
| #5679 | ParcelWILL (Formerly ParcelPanel) – Shipment Tracking, Tracking & Order Tracking for WooCommerce | 87 | 6 | 81 | 7k+ | Non-prefixed global variable | ||
| #5680 | Recently Viewed Products for WooCommerce – Carousel, Widget, Block & Email | 87 | 2 | 18 | 1k+ | Database parameter is not escaped | ||
| #5681 | Review widget addon for Divi | 87 | 20 | 3 | 500 | Text Domain Mismatch | ||
| #5682 | Simple Catalog for WooCommerce | 87 | 2 | 4 | 1k+ | wp redirect wp redirect | ||
| #5683 | Simple Footnotes | 87 | 11 | 1 | 600 | wp function not compatible with requires wp | ||
| #5684 | Simple Photo Feed | 87 | 4 | 48 | 1k+ | Non-prefixed global variable | ||
| #5685 | Slide-out Menu – Mobile Friendly modern navigation | 87 | 5 | 22 | 500 | Non-prefixed global variable | ||
| #5686 | Slug or PostID | 87 | 3 | 4 | 600 | Missing nonce verification | ||
| #5687 | Variations as Single Product – Display Single Variation for WooCommerce | 87 | 8 | 33 | 1k+ | Direct Query | ||
| #5688 | WebPlus Gateway for LiqPay on WooCommerce | 87 | 45 | 5 | 1k+ | wp function not compatible with requires wp | ||
| #5689 | Wider Gravity Forms Stop Entries | 87 | 22 | 0 | 600 | Text Domain Mismatch | ||
| #5690 | WP Admin Basic Auth | 87 | 5 | 6 | 2k+ | Input is not sanitized | ||
| #5691 | WP Missed Schedule Posts | 87 | 7 | 9 | 10k+ | trademarked term | ||
| #5692 | ZI Hide price and add to cart for WooCommerce | 87 | 15 | 7 | 1k+ | wp function not compatible with requires wp | ||
| #5693 | Add URL Slugs as Body Classes | 88 | 4 | 3 | 700 | Input is not sanitized | ||
| #5694 | Advanced Sitemap Generator | 88 | 5 | 5 | 400 | Discouraged PHP function | ||
| #5695 | Ample Themes Demo Importer | 88 | 135 | 13 | 600 | Text Domain Mismatch | ||
| #5696 | Worldline Online Checkout | 88 | 4 | 16 | 1k+ | Nonce verification recommended | ||
| #5697 | Block Editor Colors | 88 | 23 | 9 | 3k+ | Missing Arg Domain | ||
| #5698 | Blogify-AI | 88 | 6 | 12 | 400 | Non-prefixed global variable | ||
| #5699 | Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More | 88 | 20 | 116 | 40k+ | Non-prefixed hook name | ||
| #5700 | CPO Content Types | 88 | 13 | 25 | 3k+ | Missing direct file access protection |