missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #6301 | AOS Animation for SiteOrigin Page Builder | 97 | 2 | 7 | 3k+ | Missing Version | ||
| #6302 | Markdown Editor (Formerly Dark Mode) | 97 | 2 | 19 | 1k+ | Non-prefixed function | ||
| #6303 | Date Time Picker for Contact Form 7 | 97 | 8 | 2 | 20k+ | Text Domain Mismatch | ||
| #6304 | Design Upgrade for LearnDash | 97 | 5 | 1 | 7k+ | Missing direct file access protection | ||
| #6305 | Device Mockups | 97 | 7 | 3 | 900 | Missing direct file access protection | ||
| #6306 | Disable auto-update Email Notifications | 97 | 3 | 2 | 30k+ | Missing direct file access protection | ||
| #6307 | Disable New User Notification Emails | 97 | 2 | 6 | 4k+ | Non-prefixed hook name | ||
| #6308 | Disable Password Reset | 97 | 5 | 0 | 1k+ | Forbidden PHP function found | ||
| #6309 | Disable Responsive Images | 97 | 5 | 0 | 600 | Forbidden PHP function found | ||
| #6310 | Disable Right Click and Content Copy Protection | 97 | 4 | 2 | 400 | Missing Version | ||
| #6311 | Disable URL Autocorrect Guessing | 97 | 5 | 0 | 1k+ | Missing direct file access protection | ||
| #6312 | Disable WP Revisions | 97 | 4 | 4 | 400 | trademarked term | ||
| #6313 | Disable Yoast's Structured Data | 97 | 4 | 3 | 900 | trademarked term | ||
| #6314 | Display All Image Sizes | 97 | 3 | 4 | 1k+ | Missing Version | ||
| #6315 | DocsPress – Online Documentation | 97 | 16 | 3 | 400 | wp function not compatible with requires wp | ||
| #6316 | Double the Donation – A workplace giving tool | 97 | 6 | 4 | 1k+ | Missing Version | ||
| #6317 | Easy Custom Sidebars | 97 | 8 | 1 | 10k+ | Missing direct file access protection | ||
| #6318 | Easy Widget Columns | 97 | 3 | 17 | 400 | Non-prefixed global variable | ||
| #6319 | Eazy XMLRPC Pingback Disable | 97 | 4 | 1 | 800 | Missing direct file access protection | ||
| #6320 | Editor Full Width Gutenberg | 97 | 3 | 4 | 4k+ | trademarked term | ||
| #6321 | Embed Google Photos album | 97 | 5 | 2 | 3k+ | Missing direct file access protection | ||
| #6322 | Empty P Tag | 97 | 4 | 1 | 800 | Missing direct file access protection | ||
| #6323 | ESV CrossReference Tool | 97 | 4 | 1 | 500 | Missing direct file access protection | ||
| #6324 | Excerpts for Pages | 97 | 4 | 2 | 500 | Missing direct file access protection | ||
| #6325 | Exif Caption | 97 | 3 | 25 | 600 | Non-prefixed global variable | ||
| #6326 | Fake Pay For WooCommerce | 97 | 13 | 1 | 1k+ | Text Domain Mismatch | ||
| #6327 | FancyBox Gallery | 97 | 4 | 5 | 400 | Missing Version | ||
| #6328 | FAQ Block | 97 | 4 | 2 | 500 | Discouraged text-domain loading | ||
| #6329 | Featured Image Zoom | 97 | 4 | 1 | 900 | Missing direct file access protection | ||
| #6330 | Flexible Cookies | 97 | 5 | 39 | 3k+ | Non-prefixed global variable | ||
| #6331 | Flip Cards Module For Divi | 97 | 136 | 1 | 3k+ | Text Domain Mismatch | ||
| #6332 | JavaScript to Footer | 97 | 5 | 0 | 500 | Missing direct file access protection | ||
| #6333 | Force Default Variant for WooCommerce | 97 | 7 | 0 | 3k+ | Missing direct file access protection | ||
| #6334 | Force Update Translations | 97 | 8 | 1 | 1k+ | Missing direct file access protection | ||
| #6335 | Front Page Category | 97 | 4 | 2 | 5k+ | Missing direct file access protection | ||
| #6336 | Gallery in columns | 97 | 3 | 5 | 500 | Missing Version | ||
| #6337 | Genesis Portfolio Pro | 97 | 9 | 16 | 5k+ | Non-prefixed global variable | ||
| #6338 | Geo Redirect | 97 | 10 | 1 | 1k+ | Missing direct file access protection | ||
| #6339 | Geo to Lat | 97 | 3 | 11 | 500 | Direct Query | ||
| #6340 | GutenBee – Gutenberg Blocks | 97 | 7 | 10 | 7k+ | Missing direct file access protection | ||
| #6341 | Reviewkit – Trustpilot Reviews Widget & Embed | 97 | 3 | 28 | 700 | Non-prefixed global variable | ||
| #6342 | Hide All Notices | 97 | 4 | 1 | 2k+ | Missing Version | ||
| #6343 | Hide Content by User Role for WPBakery | 97 | 5 | 5 | 1k+ | Missing direct file access protection | ||
| #6344 | Hierarchical HTML Sitemap | 97 | 3 | 5 | 4k+ | Post Not In exclude | ||
| #6345 | html after URL | 97 | 3 | 2 | 4k+ | Missing direct file access protection | ||
| #6346 | HTTP/2 Server Push | 97 | 4 | 1 | 900 | Missing direct file access protection | ||
| #6347 | Video Gallery by Huzzaz | 97 | 5 | 2 | 900 | Non Enqueued Script | ||
| #6348 | iframe Wrapper | 97 | 3 | 3 | 500 | Missing Version | ||
| #6349 | Image Automatic Height Width | 97 | 6 | 0 | 400 | Missing direct file access protection | ||
| #6350 | Img Title Removal | 97 | 3 | 2 | 1k+ | Missing direct file access protection |