missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5951OffCanvas / Drawer – Responsive Slide-In Drawer & Popup System9262900Missing direct file access protection
#5952Paste As Plain Text By Default92252k+Nonce verification recommended
#5953PDF Thumbnails92521k+Missing Arg Domain
#5954PhotoSwipe92491k+Not In Footer
#5955Picture Gallery – Frontend Image Uploads, AJAX Photo List9252400date date
#5956Propovoice: All-in-One Client Management System921341800Non-prefixed global variable
#5957Remove RSS Feed92501k+Missing Arg Domain
#5958RTL Tester92621k+Nonce verification recommended
#5959MWW Scheduled Post Trigger924260k+Direct Query
#5960Site Closed9250400Missing direct file access protection
#5961SmartEmailing9273600Missing direct file access protection
#5962Snow Monkey Blocks928717330k+Non-prefixed global variable
#5963Stencil92681k+Non-prefixed function
#5964Themebeez Toolkit9226789k+Non-prefixed class
#5965TP WooCommerce Product Gallery92491k+Non-prefixed function
#5966Ultimate Fonts9263400Missing Arg Domain
#5967User Access Shortcodes92311k+Missing direct file access protection
#5968Verify domain for Apple Pay with Stripe9232600Input is not sanitized
#5969Menu Cart for WooCommerce921021680k+Text Domain Mismatch
#5970WP DPE-GES928459600Text Domain Mismatch
#5971WP Force SSL & HTTPS SSL Redirect92182190k+Non-prefixed global variable
#5972WP Quick Post Duplicator923102k+trademarked term
#5973Advanced Views – Display Custom Fields (ACF, Pods, MetaBox), Posts, CPT and Woo Products anywhere in Gutenberg, Elementor, Divi, Beaver…9332433k+Non-prefixed global variable
#5974Advanced Responsive Video Embedder for Rumble, Odysee, YouTube, Vimeo, Kick …93253220k+Missing direct file access protection
#5975Advanced Testimonial Carousel For Elementor93362k+Nonce verification recommended
#5976Section Builder with Backgrounds – Customize with Color, Gradient, Image and Parallax.93271k+Non-prefixed global variable
#5977CF7 Mate – AI Form Builder, Styler & Multi-Step Forms for Contact Form 7933920k+Non-prefixed class
#5978Plugin de Clip para WooCommerce931329800Non-prefixed global variable
#5979Contextual Related Posts93216750k+Non-prefixed hook name
#5980Custom Post Type Sticky93106800Text Domain Mismatch
#5981Disable Blog9322210k+Non-prefixed global variable
#5982Disable Auto Update Emails and Block Updates for Plugins, WP Core, and Themes931073k+Missing direct file access protection
#5983Social Sharing (by Danny)93982k+Missing direct file access protection
#5984Easy Notify Lite932645400Missing Version
#5985Enable Mastodon Apps931375600Non-prefixed global variable
#5986Feed For TikTok Shop93114500wp function not compatible with requires wp
#5987Shipping Live Rates for DHL Express for WooCommerce93411600Non-prefixed global variable
#5988Huurkalender WP9337800trademarked term
#5989Image Carousel Module for Divi9313139k+Text Domain Mismatch
#5990Import Shopify To WP93751k+Missing Translators Comment
#5991Kortez Toolset93321k+Missing Translators Comment
#5992League Table – WordPress Table Plugin931091k+Missing direct file access protection
#5993Local Google Fonts93315100k+Non-prefixed global variable
#5994ACF Photo Gallery Field932360k+Input is not sanitized
#5995OptionTree93165250k+Text Domain Mismatch
#5996Pdf Embed934410k+Non-prefixed global variable
#5997Contact Form & SMTP Plugin for WordPress by PirateForms931410230k+Non-prefixed hook name
#5998Quick Adsense93312620k+Missing direct file access protection
#5999Simple File List9315253k+Non-prefixed global variable
#6000Single Category Permalink93512400Non-prefixed global variable