missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #6801 | Widget Post Slider | 99 | 2 | 0 | 1k+ | Missing direct file access protection | ||
| #6802 | WP Remove Query Strings From Static Resources | 99 | 8 | 4 | 3k+ | Text Domain Mismatch | ||
| #6803 | X Addons for Elementor | 99 | 2 | 0 | 900 | Missing direct file access protection | ||
| #6804 | Playlist Player for YouTube | 99 | 3 | 1 | 2k+ | Missing direct file access protection | ||
| #6805 | ZoloBlocks – Advanced Gutenberg Blocks, Website Builder & Page Design Toolkit | 99 | 3 | 2 | 1k+ | Missing direct file access protection | ||
| #6806 | Automatic Cache Flusher for W3 Total Cache | 100 | 1 | 0 | 4k+ | Missing direct file access protection | ||
| #6807 | Bookmark Card | 100 | 1 | 0 | 700 | Missing direct file access protection | ||
| #6808 | Definitely allow mobile zooming | 100 | 1 | 0 | 7k+ | Missing direct file access protection | ||
| #6809 | Disable Emojis (GDPR friendly) | 100 | 1 | 0 | 60k+ | Missing direct file access protection | ||
| #6810 | Disable XML-RPC | 100 | 1 | 0 | 200k+ | Missing direct file access protection | ||
| #6811 | Generate Child Theme | 100 | 1 | 0 | 9k+ | Missing direct file access protection | ||
| #6812 | Hyperlink Group Block | 100 | 1 | 0 | 7k+ | Missing direct file access protection | ||
| #6813 | Makeiteasy Slider | 100 | 1 | 0 | 1k+ | Missing direct file access protection | ||
| #6814 | Media Trash Button | 100 | 1 | 0 | 400 | Missing direct file access protection | ||
| #6815 | Nelio Content – Editorial Calendar & Social Media Auto-Posting | 100 | 1 | 0 | 4k+ | Missing direct file access protection | ||
| #6816 | Press Release Distribution | 100 | 1 | 0 | 700 | Missing direct file access protection | ||
| #6817 | Pushly | 100 | 1 | 0 | 900 | Missing direct file access protection | ||
| #6818 | Term Description: Rich Text Editor (Powered by TinyMCE) for WooCommerce | 100 | 1 | 0 | 700 | Missing direct file access protection | ||
| #6819 | Shortcode Redirect | 100 | 1 | 0 | 10k+ | Missing direct file access protection | ||
| #6820 | Splide Carousel Block | 100 | 1 | 0 | 3k+ | Missing direct file access protection | ||
| #6821 | Unique Title Checker | 100 | 1 | 0 | 1k+ | Missing direct file access protection |