missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#6651Seed Buddhist Year98313k+Missing direct file access protection
#6652Sharing Image9842600Missing Arg Domain
#6653Shortcodes for Elementor98535k+Missing direct file access protection
#6654Shortcode for OpenTable Widget9832400Missing direct file access protection
#6655Shortcodes for Divi982310k+Discouraged text-domain loading
#6656Shortcodes in Sidebar9840400Missing direct file access protection
#6657Simple Admin Language Change984210k+Missing direct file access protection
#6658Simple WP Retina98261k+trademarked term
#6659Simplebooklet PDF Viewer and Embedder9830700Missing direct file access protection
#6660Sociality9811171k+Non-prefixed global variable
#6661Star Rating Block98421k+Missing direct file access protection
#6662Stick My Header for Astra9823600Non-prefixed global variable
#6663Sticky Header 2020981072700Text Domain Mismatch
#6664Tableberg – Simple Gutenberg Table Block98343k+date date
#6665Tag Pages983010k+Missing direct file access protection
#6666Tainacan Extra View Modes98251400Text Domain Mismatch
#6667TinyMCE Advanced Language Pack9840600Missing direct file access protection
#6668TinyMCE VisualBlocks9831900Missing direct file access protection
#6669Toggles98302k+Missing direct file access protection
#6670TWST Login Block98411k+Missing Translators Comment
#6671UF Health Require Image Alt Tags9831500Missing direct file access protection
#6672Unplug Jetpack98401k+Missing direct file access protection
#6673Users Registration Date98302k+Missing direct file access protection
#6674Waves Block9840700Missing direct file access protection
#6675Wayfinder9822700Non-prefixed function
#6676WebFinger98381k+Non-prefixed function
#6677Which Template98411k+wp function not compatible with requires wp
#6678Widget Areas for LearnDash9841600Missing direct file access protection
#6679Align Woo Buttons98363k+Non-prefixed function
#6680Database Reset9814310k+Missing direct file access protection
#6681WP About Author9833500trademarked term
#6682WP Copy Protect98431k+trademarked term
#6683WP Custom Avatar9825500trademarked term
#6684WP Display Header981537k+Text Domain Mismatch
#6685WP Document Revisions98772k+wp function not compatible with requires wp
#6686WP Edit Username981142k+Non-prefixed hook name
#6687WP Last Login982410k+trademarked term
#6688WP Links Page98233k+trademarked term
#6689WP Menu Image98242k+trademarked term
#6690Wp Post Views – WordPress Post views counter983104k+Non-prefixed class
#6691WP Robots Txt982340k+trademarked term
#6692WP Scraper98242k+trademarked term
#6693WP Search Suggest9833500trademarked term
#6694WP Snow Effect98541k+Missing direct file access protection
#6695WP Swiper981135k+Non-prefixed constant
#6696WP TinyMCE Tables9833400trademarked term
#6697WPB Addons for Elementor – News Ticker, Timeline, Team & More Widgets981173k+Post Not In exclude
#6698Show IDs by DraftPress982310k+Missing direct file access protection
#6699Yumpu E-Paper publishing98221k+Missing direct file access protection
#6700Zenchef widget integration981802k+Missing direct file access protection