missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#851YITH WooCommerce Product Gallery & Image Zoom244181,49020k+Non-prefixed global variable
#852Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation241,2113,15230k+Non-prefixed global variable
#853Dynamic Pricing With Discount Rules for WooCommerce251652055k+Non-prefixed global variable
#854AdRotate Banner Manager251,36384620k+Unsafe printing function
#855Advanced Floating Content Lite256431,3487k+Non-prefixed global variable
#856Advanced WordPress Reset – Debug, Recover & Reset WP2547546420k+Output is not escaped
#857AF Companion – Starter Sites, Speed Booster & Growth Suite for Professional Publishing256651,48610k+Non-prefixed global variable
#858Affiliates256891,4832k+Output is not escaped
#859FiboSearch – Ajax Search for WooCommerce25603302100k+Output is not escaped
#860AliExpress Dropshipping Plugin for WooCommerce Stores255557344k+Text Domain Mismatch
#861AIO Forms – Craft Complex Forms Easily25189418700Mixed line endings
#862Booking for Appointments and Events Calendar – Amelia251,48748090k+Exception output is not escaped
#863Animated Number Counters254631,9322k+Non-prefixed global variable
#864Appointment Booking Calendar253271,0551k+Non-prefixed global variable
#865ATUM WooCommerce Inventory Management and Stock Tracking252,6341,30610k+Non Singular String Literal Domain
#866bbp style pack251,4191,7916k+Output is not escaped
#867Beaver Builder Page Builder – Drag and Drop Website Builder254,4631,819100k+Text Domain Mismatch
#868BlockSpare – Gutenberg Post Grid Blocks for News, Magazine & Blog Websites251,3271,71410k+Non-prefixed global variable
#869Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid2524385450k+Non-prefixed global variable
#870Booking Calendar Contact Form25371884500Input is not validated
#871Bookit — Booking & Appointment Calendar255651,4584k+Non-prefixed global variable
#872Online Scheduling and Appointment Booking System – Bookly251,08888860k+SQL query is not prepared
#873Breeze Cache25218800400k+Non-prefixed global variable
#874Broken Link Checker25727600500k+Output is not escaped
#875BuddyPress Docs252844217k+Nonce verification recommended
#876Bulk Edit Categories and Tags – Create Thousands Quickly on the Editor251,0411,0164k+Text Domain Mismatch
#877Bulk Edit and Create User Profiles – WP Sheet Editor259951,0011k+Text Domain Mismatch
#878PublishPress Capabilities – User Role Editor, Access Permissions, User Capabilities, Admin Menus253621,586100k+Non-prefixed global variable
#879SilentShield – Captcha & Anti-Spam for WordPress (CF7, WPForms, Elementor, WooCommerce)2523521410k+Database parameter is not escaped
#880GSheetConnector for CF7 – Connect Contact Form 7 to Google Sheets and Send Form Submissions in Real Time256141,43140k+Non-prefixed global variable
#881CheckoutWC Lite – Conversion optimized WooCommerce checkout251,4168543k+Text Domain Mismatch
#882CheckView – Form & Checkout Testing25663371k+Direct Query
#883HIPAA FORMS25414416800Request data is not unslashed
#884Admin Columns25613995100k+Non-prefixed namespace
#885Colissimo shipping methods for WooCommerce251,75555710k+Text Domain Mismatch
#886Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode25991,040700k+Non-prefixed global variable
#887Disable Comments & Delete All Comments255031859k+Output is not escaped
#888Coinbase Business Gateway for WooCommerce255691,317800Non-prefixed global variable
#889Contact Form DB Divi255331,2993k+Non-prefixed global variable
#890Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress254983551k+Text Domain Mismatch
#891Coupon Creator256984121k+Output is not escaped
#892Cryptocurrency Payment Gateway251,963589400Text Domain Mismatch
#893CSS & JavaScript Toolbox2515561710k+Non-prefixed class
#894Smash Balloon Social Post Feed – Simple Social Feeds for WordPress25554982200k+Output is not escaped
#895DecaLog259432361k+Exception output is not escaped
#896Demo Importer Plus255823910k+Non-prefixed hook name
#897Disable Admin Notices – Hide Dashboard Notifications25465195100k+Output is not escaped
#898Docket Cache – Object Cache Accelerator2533348120k+Output is not escaped
#899ELEX WooCommerce Dynamic Pricing and Discounts25478748800Text Domain Mismatch
#900WEB-Translation – eTranslation Multilingual252171,057400Non-prefixed function