missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#6751Say What?993240k+Missing direct file access protection
#6752Simple Table Manager9922400Discouraged text-domain loading
#6753Simple Ticker9917500Non-prefixed global variable
#6754Simply Disable Password Reset9920700Missing direct file access protection
#6755Snow Monkey Editor992330k+Non-prefixed global variable
#6756SO Page Builder Animate99204k+Missing direct file access protection
#6757Specia Companion99704k+Missing direct file access protection
#6758Stop Media Comment Spamming9920800Missing direct file access protection
#6759Super block slider – Image & content slider99129k+Missing direct file access protection
#6760Super List Block9930800Missing direct file access protection
#6761Syntax-highlighting Code Block (with Server-side Rendering)99111k+Missing direct file access protection
#6762Thumbnail Upscale99203k+Missing direct file access protection
#6763TicketSource Ticket Shop9930800Missing direct file access protection
#6764Very Simple Google Maps99203k+Missing direct file access protection
#6765Voice Search9921600Missing direct file access protection
#6766Widget Post Slider99201k+Missing direct file access protection
#6767X Addons for Elementor9920900Missing direct file access protection
#6768Playlist Player for YouTube99311k+Missing direct file access protection
#6769ZoloBlocks – Advanced Gutenberg Blocks, Website Builder & Page Design Toolkit99321k+Missing direct file access protection
#6770Automatic Cache Flusher for W3 Total Cache100104k+Missing direct file access protection
#6771Bookmark Card10010700Missing direct file access protection
#6772Definitely allow mobile zooming100107k+Missing direct file access protection
#6773Disable Emojis (GDPR friendly)1001060k+Missing direct file access protection
#6774Disable XML-RPC10010200k+Missing direct file access protection
#6775Generate Child Theme100109k+Missing direct file access protection
#6776Hyperlink Group Block100107k+Missing direct file access protection
#6777Makeiteasy Slider100101k+Missing direct file access protection
#6778Media Trash Button10010400Missing direct file access protection
#6779Nelio Content – Editorial Calendar & Social Media Auto-Posting100104k+Missing direct file access protection
#6780Press Release Distribution10010700Missing direct file access protection
#6781Pushly10010900Missing direct file access protection
#6782Shortcode Redirect1001010k+Missing direct file access protection
#6783Splide Carousel Block100103k+Missing direct file access protection
#6784Unique Title Checker100101k+Missing direct file access protection