missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5851 | Advanced Posts/Page | 91 | 16 | 2 | 3k+ | Text Domain Mismatch | ||
| #5852 | Astra Bulk Edit | 91 | 4 | 3 | 30k+ | Missing direct file access protection | ||
| #5853 | Block Guide Lines | 91 | 6 | 3 | 900 | Non-prefixed function | ||
| #5854 | Blockenberg — 600+ Advanced Gutenberg Blocks for WordPress Block Editor | 91 | 4 | 6 | 700 | block api version too low | ||
| #5855 | Book Review Block | 91 | 11 | 2 | 1k+ | block api version too low | ||
| #5856 | Contact Form 7 Syntax Highlighting | 91 | 4 | 10 | 1k+ | Nonce verification recommended | ||
| #5857 | Contact Form 7 – email body TinyMCE editor | 91 | 4 | 6 | 400 | Nonce verification recommended | ||
| #5858 | Change Author | 91 | 8 | 0 | 1k+ | Missing Arg Domain | ||
| #5859 | Change Empty Trash Time | 91 | 5 | 3 | 1k+ | Missing direct file access protection | ||
| #5860 | Chatbase | 91 | 4 | 4 | 5k+ | Non-prefixed function | ||
| #5861 | Clever Fox | 91 | 16 | 1 | 30k+ | wp function not compatible with requires wp | ||
| #5862 | Cliengo – Chatbot | 91 | 4 | 7 | 2k+ | Input is not sanitized | ||
| #5863 | Connector GravityForms and MailerLite | 91 | 8 | 2 | 2k+ | Missing Translators Comment | ||
| #5864 | CryptoCloud – Crypto Payment Gateway | 91 | 13 | 6 | 400 | Text Domain Mismatch | ||
| #5865 | CTA Button Styler | 91 | 3 | 39 | 400 | Non-prefixed global variable | ||
| #5866 | Di Blocks – Awesome WordPress Blocks for Gutenberg Editor | 91 | 7 | 3 | 1k+ | Missing direct file access protection | ||
| #5867 | GTM4WP – A Google Tag Manager (GTM) plugin for WordPress | 91 | 59 | 79 | 700k+ | Non-prefixed global variable | ||
| #5868 | Easy Logo Link Change | 91 | 6 | 1 | 1k+ | Deprecated function: screen_icon | ||
| #5869 | Eazy Login Logo | 91 | 4 | 2 | 400 | Missing direct file access protection | ||
| #5870 | Elmo | 91 | 6 | 2 | 900 | Missing direct file access protection | ||
| #5871 | ERE Similar Properties – Essential Real Estate Add-On | 91 | 4 | 3 | 1k+ | Missing direct file access protection | ||
| #5872 | Faust.js | 91 | 9 | 4 | 1k+ | Missing direct file access protection | ||
| #5873 | FT Password Protect Children Pages | 91 | 8 | 1 | 400 | Missing Arg Domain | ||
| #5874 | Gravity Forms Confirmation Page List | 91 | 6 | 3 | 400 | Missing direct file access protection | ||
| #5875 | Gravity Forms Placeholder Add-On | 91 | 5 | 4 | 1k+ | trademarked term | ||
| #5876 | Gutentools | 91 | 17 | 10 | 5k+ | Missing direct file access protection | ||
| #5877 | Helio Pay (Accept 1-click crypto payments #USDC #SOL #BTC #ETH) | 91 | 8 | 11 | 500 | Missing direct file access protection | ||
| #5878 | Hide Author Archive | 91 | 6 | 3 | 500 | Missing direct file access protection | ||
| #5879 | Icegram Engage – Popups, Optins, CTAs & Lead Generation | 91 | 14 | 10 | 10k+ | wp function not compatible with requires wp | ||
| #5880 | Icon List Block – Add Icon-Based Lists with Custom Styles | 91 | 3 | 7 | 4k+ | Not In Footer | ||
| #5881 | Jetpack Lite | 91 | 3 | 7 | 600 | Non-prefixed function | ||
| #5882 | Lazy Load Elementor Background Images | 91 | 5 | 6 | 1k+ | Non-prefixed function | ||
| #5883 | LegalBlink for Aruba | 91 | 33 | 29 | 8k+ | Missing direct file access protection | ||
| #5884 | Limit Revisions | 91 | 7 | 1 | 1k+ | Missing Arg Domain | ||
| #5885 | Loop Post Navigation Links | 91 | 7 | 5 | 500 | Missing Arg Domain | ||
| #5886 | matchHeight | 91 | 6 | 2 | 2k+ | Non-prefixed global variable | ||
| #5887 | MC4WP: WPML Integration | 91 | 7 | 9 | 2k+ | Missing direct file access protection | ||
| #5888 | Meks Quick Plugin Disabler | 91 | 3 | 8 | 1k+ | Nonce verification recommended | ||
| #5889 | Mesmerize Companion | 91 | 27 | 91 | 50k+ | Non-prefixed global variable | ||
| #5890 | MultiManager WP – Manage All Your WordPress Sites Easily | 91 | 28 | 11 | 1k+ | Missing Arg Domain | ||
| #5891 | Shipping Live Rates for Royal Mail for WooCommerce | 91 | 4 | 13 | 400 | Non-prefixed global variable | ||
| #5892 | Pantheon Advanced Page Cache | 91 | 10 | 6 | 10k+ | Request data is not unslashed | ||
| #5893 | Parent Category Toggler | 91 | 6 | 0 | 10k+ | Missing direct file access protection | ||
| #5894 | PDF Embedder | 91 | 1 | 7 | 300k+ | Non-prefixed class | ||
| #5895 | PS User Login Count | 91 | 7 | 7 | 400 | Missing Arg Domain | ||
| #5896 | reBusted! | 91 | 7 | 3 | 6k+ | Missing direct file access protection | ||
| #5897 | Remove Image Links | 91 | 5 | 10 | 800 | Non-prefixed function | ||
| #5898 | Responsive Tabs | 91 | 59 | 9 | 4k+ | Non Singular String Literal Domain | ||
| #5899 | REST API Toolbox | 91 | 25 | 0 | 1k+ | Missing Arg Domain | ||
| #5900 | Restricted Site Access | 91 | 14 | 11 | 10k+ | Missing Arg Domain |