missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5701 | Cudazi Scroll to Top | 88 | 7 | 4 | 500 | Missing Version | ||
| #5702 | Custom Header Footer Scripts for Customizer | 88 | 6 | 5 | 2k+ | Non-prefixed function | ||
| #5703 | Duplicate Pages, Posts and CPT | 88 | 2 | 5 | 5k+ | Input is not sanitized | ||
| #5704 | Emoji Settings | 88 | 4 | 5 | 2k+ | Input is not sanitized | ||
| #5705 | 301 Redirects – Redirect Manager | 88 | 6 | 71 | 300k+ | Non-prefixed global variable | ||
| #5706 | AH Google Analytics Code | 88 | 6 | 2 | 500 | Output is not escaped | ||
| #5707 | Facebook Chat Plugin – Live Chat Plugin for WordPress | 88 | 7 | 8 | 80k+ | trademarked term | ||
| #5708 | Fancy Admin UI | 88 | 10 | 3 | 1k+ | Missing Version | ||
| #5709 | WP OPcache | 88 | 6 | 25 | 10k+ | Non-prefixed global variable | ||
| #5710 | Fourteen Colors | 88 | 16 | 1 | 8k+ | Text Domain Mismatch | ||
| #5711 | Generic Elements | 88 | 1,922 | 140 | 500 | Text Domain Mismatch | ||
| #5712 | Genesis Blocks | 88 | 154 | 9 | 40k+ | Offloaded Content | ||
| #5713 | G-Forms hCaptcha | 88 | 7 | 5 | 3k+ | Missing direct file access protection | ||
| #5714 | Hindi-To-Lat | 88 | 3 | 14 | 400 | Direct Query | ||
| #5715 | Image Hover Effects – WordPress Plugin | 88 | 2 | 5 | 3k+ | Input is not sanitized | ||
| #5716 | Import Markdown – Versatile Markdown Importer | 88 | 25 | 9 | 2k+ | Missing Arg Domain | ||
| #5717 | WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager | 88 | 27 | 33 | 3m+ | wp function not compatible with requires wp | ||
| #5718 | SimpleMaps | 88 | 81 | 19 | 600 | wp function not compatible with requires wp | ||
| #5719 | Live News – Responsive News Ticker | 88 | 9 | 9 | 2k+ | Database parameter is not escaped | ||
| #5720 | Minimal Coming Soon – Coming Soon Page | 88 | 7 | 143 | 100k+ | Non-prefixed global variable | ||
| #5721 | Modular Custom CSS | 88 | 7 | 1 | 400 | Output is not escaped | ||
| #5722 | mypace Custom Title Tag | 88 | 3 | 6 | 500 | Input is not sanitized | ||
| #5723 | Piotnet Addons For Elementor | 88 | 744 | 26 | 30k+ | Text Domain Mismatch | ||
| #5724 | Rel Nofollow | 88 | 9 | 1 | 700 | Missing Arg Domain | ||
| #5725 | WP REST API Meta Endpoints | 88 | 50 | 3 | 1k+ | Missing Arg Domain | ||
| #5726 | Scriptless Social Sharing | 88 | 8 | 9 | 10k+ | Missing direct file access protection | ||
| #5727 | Simple Custom CSS Plugin | 88 | 17 | 5 | 100k+ | wp function not compatible with requires wp | ||
| #5728 | SiteGround Email Marketing | 88 | 18 | 75 | 1k+ | Non-prefixed namespace | ||
| #5729 | SJ Cornerstone Addon | 88 | 57 | 0 | 400 | Text Domain Mismatch | ||
| #5730 | Smart Blocks – WordPress Gutenberg Blocks | 88 | 10 | 76 | 1k+ | Post Not In post not in | ||
| #5731 | Table Sorter | 88 | 4 | 5 | 6k+ | Not In Footer | ||
| #5732 | Text Unfold For Elementor | 88 | 122 | 0 | 3k+ | Text Domain Mismatch | ||
| #5733 | The Events Calendar: Category Colors | 88 | 18 | 42 | 5k+ | Non-prefixed global variable | ||
| #5734 | Transferito: WP Migration | 88 | 16 | 115 | 500 | Non-prefixed global variable | ||
| #5735 | Ukr-To-Lat | 88 | 3 | 13 | 5k+ | Direct Query | ||
| #5736 | WPBakery Page Builder Simple All Responsive | 88 | 4 | 6 | 1k+ | Missing direct file access protection | ||
| #5737 | FlexMeeting – Webinar & Meeting Plugin for Jitsi Meet | 88 | 6 | 18 | 1k+ | Nonce verification recommended | ||
| #5738 | Draft – Tailwind CSS for WordPress. | 88 | 10 | 5 | 600 | Text Domain Mismatch | ||
| #5739 | File Uploads Addon for WooCommerce | 88 | 8 | 15 | 5k+ | Missing direct file access protection | ||
| #5740 | Divi Carousel Free (Divi5 Support) | 88 | 268 | 26 | 30k+ | Text Domain Mismatch | ||
| #5741 | WP Insert Code | 88 | 6 | 4 | 1k+ | trademarked term | ||
| #5742 | WP jQuery Plus | 88 | 7 | 5 | 900 | trademarked term | ||
| #5743 | A Random Number | 89 | 3 | 5 | 800 | Non-prefixed function | ||
| #5744 | Better Variation Price for WooCommerce | 89 | 5 | 12 | 1k+ | Nonce verification recommended | ||
| #5745 | Bottom Admin Toolbar | 89 | 5 | 1 | 1k+ | Output is not escaped | ||
| #5746 | Breadcrumb Trail | 89 | 6 | 4 | 10k+ | Non-prefixed hook name | ||
| #5747 | CJdropshipping | 89 | 4 | 2 | 3k+ | Missing Arg Domain | ||
| #5748 | Clarity – Ad blocker for WordPress | 89 | 5 | 19 | 2k+ | Non-prefixed hook name | ||
| #5749 | Clear cache for Timber | 89 | 20 | 1 | 500 | wp function not compatible with requires wp | ||
| #5750 | Convert to Blocks | 89 | 2 | 11 | 2k+ | Non-prefixed hook name |