missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5651WP Upload Restriction8659162k+Text Domain Mismatch
#5652WP101 Video Tutorial Plugin86151810k+Missing direct file access protection
#5653WPUpper Share Buttons864744k+Dynamic hook name
#5654Яндекс Поделиться8694900Unsafe printing function
#5655bbPress Enable TinyMCE Visual Tab87124600Text Domain Mismatch
#5656Better Addons for Elementor871252214k+Non-prefixed global variable
#5657CF7 Google Captcha Load After Page87722k+Output is not escaped
#5658Click To Tweet87872k+trademarked term
#5659Cookie Notice lite8731400Missing direct file access protection
#5660SmartText Rotator – Add Motion to Your Words878861k+Text Domain Mismatch
#5661Customizer Search8710150k+Missing direct file access protection
#5662Autolinks Manager – SEO Auto Linker877161k+Database parameter is not escaped
#5663Disable User Password Reset Admin Notifications87621k+Nonce verification recommended
#5664Donorbox – Free Recurring Donation Plugin and Fundraising Platform87568k+Missing Arg Domain
#5665Farsi Font for Elementor871121k+Missing Translators Comment
#5666Entry Expiration for Gravity Forms87821k+Missing direct file access protection
#5667GTM Kit – Google Tag Manager & GA4 integration8751730k+Missing direct file access protection
#5668Simple Slider Block – Create Sliders From Core Blocks87634600Non-prefixed global variable
#5669I Recommend This – Love/Like Button for WordPress Posts873495k+Direct Query
#5670ImageKit – URL based image manipulation and optimization8747421k+Non-prefixed global variable
#5671Last Modified Timestamp87937k+Output is not escaped
#5672Livebeep – Chatbot, Live Chat, CRM & Digital Marketing8774400Output is not escaped
#5673Manage/View Your Posts Only8753400Input is not sanitized
#5674Minimum Purchase Amount For Woo Cart – For WooCommerce877285k+Text Domain Mismatch
#5675NHS Blocks8766900Non-prefixed global variable
#5676No Category Base (WPML)8755100k+Missing direct file access protection
#5677Bulk Page Generator and Mass Page Builder – Page Generator8726874k+Non-prefixed global variable
#5678Parallax Section Block – Add Parallax Scrolling Effects to Sections.873223k+Non-prefixed global variable
#5679ParcelWILL (Formerly ParcelPanel) – Shipment Tracking, Tracking & Order Tracking for WooCommerce876817k+Non-prefixed global variable
#5680Recently Viewed Products for WooCommerce – Carousel, Widget, Block & Email872181k+Database parameter is not escaped
#5681Review widget addon for Divi87203500Text Domain Mismatch
#5682Simple Catalog for WooCommerce87241k+wp redirect wp redirect
#5683Simple Footnotes87111600wp function not compatible with requires wp
#5684Simple Photo Feed874481k+Non-prefixed global variable
#5685Slide-out Menu – Mobile Friendly modern navigation87522500Non-prefixed global variable
#5686Slug or PostID8734600Missing nonce verification
#5687Variations as Single Product – Display Single Variation for WooCommerce878331k+Direct Query
#5688WebPlus Gateway for LiqPay on WooCommerce874551k+wp function not compatible with requires wp
#5689Wider Gravity Forms Stop Entries87220600Text Domain Mismatch
#5690WP Admin Basic Auth87562k+Input is not sanitized
#5691WP Missed Schedule Posts877910k+trademarked term
#5692ZI Hide price and add to cart for WooCommerce871571k+wp function not compatible with requires wp
#5693Add URL Slugs as Body Classes8843700Input is not sanitized
#5694Advanced Sitemap Generator8855400Discouraged PHP function
#5695Ample Themes Demo Importer8813513600Text Domain Mismatch
#5696Worldline Online Checkout884161k+Nonce verification recommended
#5697Block Editor Colors882393k+Missing Arg Domain
#5698Blogify-AI88612400Non-prefixed global variable
#5699Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More882011640k+Non-prefixed hook name
#5700CPO Content Types8813253k+Missing direct file access protection