missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#601Customer Reviews for WooCommerce242,2022,44580k+Output is not escaped
#602Defender Security – Malware Scanner, Login Security & Firewall2454759480k+Non-prefixed namespace
#603WP Comment Cleaner – Delete All Comments, Disable Comments, Bulk Delete & Remove Comments245871,43020k+Non-prefixed global variable
#604WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)248452,6434k+Non-prefixed global variable
#605Democracy Poll243874367k+Short PHP open tag found
#606Deployer for Git245411,336500Non-prefixed global variable
#607Digital License Manager24295670800Non-prefixed hook name
#608Double Opt-In for Contact Form 7 – Secure, GDPR-Compliant Email Verification242334411k+Non-prefixed hook name
#609Doubly – Cross Domain Copy Paste for WordPress242525510k+Output is not escaped
#610Drop Shadow Boxes246421,2904k+Non-prefixed global variable
#611DSGVO All in one for WP24751,63720k+Non-prefixed global variable
#612Dynamic Widgets2463181210k+Non-prefixed global variable
#613Easy Form Builder by WhiteStudio — Drag & Drop Form Builder241943811k+Nonce verification recommended
#614Easy Invoice – Invoice Generator, PDF Quotes & Payments241,3662,013500Non-prefixed global variable
#615Easy Modal245642997k+Unsafe printing function
#616E-cab Taxi Booking Manager for Woocommerce243561,4622k+Non-prefixed global variable
#617eCommerce Product Catalog Plugin for WordPress246213,1777k+Non-prefixed function
#618ELEX WooCommerce Request a Quote243982662k+Request data is not unslashed
#619Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress246521,49560k+Non-prefixed hook name
#620EmbedPress – PDF Embedder, 3D PDF FlipBook, Google Reviews, YouTube Videos, Upload & Embed PDF documents247111,588100k+Output is not escaped
#621Enable Media Replace24212276600k+Output is not escaped
#622Conversios: Google Analytics (GA4), Google Ads, Conversion and Analytics Tracking for Multi-Channels241121,49710k+Non-prefixed global variable
#623Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns24120684200k+Non-prefixed global variable
#624Event Tickets and Registration243,4094,21790k+Non-prefixed global variable
#625Export WordPress Pages to Static HTML & PDF — Static Site Export245093044k+Text Domain Mismatch
#626Etsy Integration For WooCommerce241,2464,643900Non-prefixed global variable
#627Fast Velocity Minify2428225640k+Unsafe printing function
#628Featured Image from URL (FIFU)241,65441870k+Non Singular String Literal Domain
#629Featured Post with thumbnail24158122400Output is not escaped
#630FeedWordPress244963199k+Missing Arg Domain
#631FileBird – WordPress Media Library Folders & File Manager24239377200k+wp function not compatible with requires wp
#632Fix Alt Text245443461k+Non Singular String Literal Domain
#633FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution2419375380k+Direct Query
#634Food Store – Online Food Delivery & Pickup248621,9411k+Non-prefixed global variable
#635Football Pool241,0857331k+Output is not escaped
#636Force Sell for WooCommerce24697455600Text Domain Mismatch
#637Forminator Forms – Contact Form, Payment Form & Custom Form Builder248261,314600k+Non-prefixed global variable
#638Fuse Social Floating Sidebar241,8381,57810k+Non-prefixed global variable
#639FV Simpler SEO247663082k+Text Domain Mismatch
#640FV Player 8243231,3831k+Non-prefixed function
#641Photo Gallery – Responsive Image Galleries by Supsystic242409120k+Text Domain Mismatch
#642Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress2453632410k+Text Domain Mismatch
#643GD Mail Queue24502582700Output is not escaped
#644Cookie Banner for GDPR / CCPA – WPLP Cookie Consent241,2141,9249k+Non-prefixed global variable
#645Genealogical Tree – Family Tree & Ancestry for WordPress245601,641600Non-prefixed global variable
#646GEO my WP245542,0893k+Non-prefixed hook name
#647GG Woo Feed for WooCommerce Shopping Feed on Google and Other Channels244695921k+Non-prefixed global variable
#648Connector Wizard (formerly LC Wizard)242494481k+Non-prefixed function
#649Assets manager, dequeue scripts, dequeue styles for WordPress245922552k+Output is not escaped
#650ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)24118442300k+Nonce verification recommended