missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5801 | Content Anchor Links | 90 | 6 | 5 | 1k+ | Non-prefixed hook name | ||
| #5802 | Continue Shopping Anywhere for WooCommerce | 90 | 21 | 10 | 700 | Text Domain Mismatch | ||
| #5803 | CookiePro | Simplify Compliance with GDPR & EU Cookie Laws | 90 | 37 | 5 | 1k+ | Missing Arg Domain | ||
| #5804 | Cloudflare SSL by Weslink | 90 | 3 | 7 | 2k+ | trademarked term | ||
| #5805 | Daddy Plus | 90 | 35 | 552 | 8k+ | Non-prefixed global variable | ||
| #5806 | Disable Revisions | 90 | 5 | 5 | 1k+ | Direct Query | ||
| #5807 | Prevent Content Theft [Disable Right Click] | 90 | 4 | 6 | 1k+ | Missing Version | ||
| #5808 | Disable RSS | 90 | 8 | 0 | 500 | Missing Arg Domain | ||
| #5809 | Dynamic Year Block – display a copyright notice in your footer with the current year | 90 | 5 | 28 | 2k+ | Non-prefixed global variable | ||
| #5810 | Easy Google Fonts | 90 | 12 | 26 | 100k+ | Non-prefixed hook name | ||
| #5811 | Easy Auto SKU Generator for WooCommerce | 90 | 21 | 13 | 10k+ | Missing direct file access protection | ||
| #5812 | Featured Image Admin Thumb | 90 | 7 | 10 | 20k+ | Non-prefixed hook name | ||
| #5813 | Shipping Live Rates and Access Points for UPS for WooCommerce | 90 | 6 | 11 | 7k+ | Non-prefixed global variable | ||
| #5814 | Flipdish Ordering System | 90 | 5 | 11 | 400 | Non-prefixed function | ||
| #5815 | Fusion Page Builder : Extension – Button | 90 | 4 | 5 | 400 | Input is not validated | ||
| #5816 | GamiPress – WooCommerce Points Per Purchase Total | 90 | 10 | 5 | 400 | trademarked term | ||
| #5817 | Genesis Custom Blocks | 90 | 7 | 22 | 10k+ | Non-prefixed function | ||
| #5818 | Multiple Columns for Gravity Forms | 90 | 11 | 7 | 10k+ | Missing direct file access protection | ||
| #5819 | ShareThis Dashboard for Google Analytics | 90 | 4 | 272 | 80k+ | Non-prefixed global variable | ||
| #5820 | Gravity Forms – Placeholders add-on | 90 | 5 | 5 | 2k+ | trademarked term | ||
| #5821 | Hide Related Video Youtube | 90 | 3 | 8 | 1k+ | Direct Query | ||
| #5822 | Lawwwing | Textos legales web y Banner de cookies | 90 | 31 | 13 | 700 | Text Domain Mismatch | ||
| #5823 | If-So Conditional Content for Elementor | 90 | 5 | 1 | 1k+ | Missing direct file access protection | ||
| #5824 | Include Mastodon Feed | 90 | 11 | 3 | 800 | Non-prefixed global variable | ||
| #5825 | OAuth Single Sign On – SSO (OAuth Client) | 90 | 269 | 36 | 6k+ | wp function not compatible with requires wp | ||
| #5826 | Nav Menu Item Duplicator | 90 | 16 | 4 | 500 | wp function not compatible with requires wp | ||
| #5827 | Shipping Cost on Product Page Calculator for WooCommerce | 90 | 3 | 14 | 400 | Non-prefixed global variable | ||
| #5828 | Page and Post Restriction | 90 | 14 | 3 | 2k+ | wp function not compatible with requires wp | ||
| #5829 | Pantheon HUD | 90 | 4 | 6 | 1k+ | Input is not sanitized | ||
| #5830 | PHP Native Password Hash | 90 | 7 | 6 | 2k+ | Non-prefixed global variable | ||
| #5831 | Payment Forms for Paystack | 90 | 494 | 23 | 3k+ | Text Domain Mismatch | ||
| #5832 | Photection – Easy image protection for WordPress | 90 | 4 | 9 | 1k+ | Non-prefixed global variable | ||
| #5833 | PromPress | 90 | 8 | 4 | 700 | Missing direct file access protection | ||
| #5834 | Publish To Apple News | 90 | 882 | 2 | 5k+ | Text Domain Mismatch | ||
| #5835 | Quotes for WooCommerce | 90 | 186 | 265 | 4k+ | Text Domain Mismatch | ||
| #5836 | Reading Position Indicator | 90 | 2 | 23 | 800 | Dynamic hook name | ||
| #5837 | Relevanssi Live Ajax Search | 90 | 4 | 22 | 7k+ | Non-prefixed global variable | ||
| #5838 | SEO SIMPLE PACK | 90 | 99 | 97 | 100k+ | Non-prefixed global variable | ||
| #5839 | Show Page URL | 90 | 6 | 3 | 1k+ | Missing direct file access protection | ||
| #5840 | Simple Colorbox | 90 | 11 | 1 | 1k+ | Missing Arg Domain | ||
| #5841 | Slider by Soliloquy – Responsive Image Slider for WordPress | 90 | 470 | 29 | 30k+ | Text Domain Mismatch | ||
| #5842 | Tabbed Contents Block – Display Content in Tabbed Layout | 90 | 4 | 36 | 800 | Non-prefixed global variable | ||
| #5843 | Three Column Screen Layout | 90 | 5 | 8 | 1k+ | Direct Query | ||
| #5844 | Mobile Detect | 90 | 4 | 1 | 3k+ | Exception output is not escaped | ||
| #5845 | UltraAddons for Elementor | 90 | 65 | 2 | 600 | wp function not compatible with requires wp | ||
| #5846 | VK Ads Pixel plugin | 90 | 6 | 4 | 2k+ | Missing direct file access protection | ||
| #5847 | WP-Font-Resizer | 90 | 14 | 6 | 400 | wp function not compatible with requires wp | ||
| #5848 | WP-Speech-Balloon | 90 | 5 | 10 | 400 | trademarked term | ||
| #5849 | AAA Option Optimizer | 91 | 1 | 7 | 9k+ | Database parameter is not escaped | ||
| #5850 | Advanced Cron Manager – debug & control | 91 | 30 | 90 | 30k+ | Non-prefixed global variable |