missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#951Create251,6377646k+Text Domain Mismatch
#952Minimum and Maximum Quantity for WooCommerce255561,4363k+Non-prefixed global variable
#953Multibanco / MB Way / Payshop / Cofidis Pay (by LUSOPAY) for WooCommerce25492216400Text Domain Mismatch
#954My Calendar – Accessible Event Manager25102,20520k+Non-prefixed function
#955MyFatoorah – WooCommerce25191893k+Output is not escaped
#956All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements2535259740k+Non-prefixed global variable
#957Notifications for Forms & WordPress Actions253092821k+Text Domain Mismatch
#958NOWPayments for WooCommerce – Crypto Payment Gateway255341,3064k+Non-prefixed global variable
#959Object Sync for Salesforce25192296500Non-prefixed global variable
#960Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content256811,517300k+Non-prefixed global variable
#961Paymob for WooCommerce254433505k+Text Domain Mismatch
#962PDF Importer for WPForms25332329400Non-prefixed global variable
#963PDF & Print by BestWebSoft – WordPress Posts and Pages PDF Generator Plugin251,0841,2969k+Non-prefixed global variable
#964Piotnet Forms251873743k+Alternative PHP tag found
#965Plover Kit – Blocks, Patterns, Responsive Layout and Gutenberg Editor Enhancements256881,3833k+Non-prefixed global variable
#966Poll Maker by AYS – Versus Polls, Anonymous Polls, Image Polls254891,4137k+Non-prefixed global variable
#967Post Carousel Divi256861,3012k+Non-prefixed global variable
#968Post Snippets – Custom WordPress Code Snippets Customizer258081,65420k+Non-prefixed global variable
#969Premmerce257121,411500Non-prefixed global variable
#970Premmerce Redirect Manager257561,407500Non-prefixed global variable
#971Premmerce Product Search for WooCommerce255961,350900Non-prefixed global variable
#972Premmerce Wholesale Pricing for WooCommerce256351,377400Non-prefixed global variable
#973Pz-LinkCard259541,61820k+Non-prefixed global variable
#974QuadMenu – Mega Menu252,12845510k+Output is not escaped
#975Quiz Maker by AYS255053,03020k+Non-prefixed global variable
#976Quttera ThreatSign – Web Malware Scanner for WordPress2533447110k+Non-prefixed global variable
#977Qyrr – simply and modern QR-Code creation255311,3132k+Non-prefixed global variable
#978Rate limiting for Contact Form 7255471,306600Non-prefixed global variable
#979Really Simple Featured Video – Featured Video Support for Posts, Pages & WooCommerce Products258111,4945k+Non-prefixed global variable
#980reSmush.it : The original free image compressor and optimizer plugin2515569100k+Output is not escaped
#981Restrict – membership, site, content and user access restrictions for WordPress255391,4012k+Non-prefixed global variable
#982BerqWP – All-In-One Optimization for Core Web Vitals, Cache, CDN, Images, CSS & JavaScript252045464k+Non-prefixed global variable
#983Secure Copy Content Protection and Content Locking2596580320k+Output is not escaped
#984Seers AI | Cookie Consent Banner – GDPR & CCPA Compliant Consent Management Platform251,4464211k+Output is not escaped
#985Sensei LMS – Online Courses, Quizzes, & Learning25569289k+Nonce verification recommended
#986Seo Optimized Images255261,31610k+Non-prefixed global variable
#987SEO Repair Kit – Meta Manager, Schema Manager, SEO Content Monitoring, GSC Integration, Keyword & Rank Tracking251969022k+Direct Query
#988ShopMagic – email automation2522814510k+Exception output is not escaped
#989Simple Link Directory – AI Powered251334202k+Non-prefixed global variable
#990Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin2595873860k+Text Domain Mismatch
#991Simply Static – The Static Site Generator2518752830k+Non-prefixed hook name
#992Sitemap by click5252861326k+Unsafe printing function
#993Affiliate Program Suite — SliceWP Affiliates251,2912,08910k+Output is not escaped
#994Smart Image Resize for WooCommerce255824047k+Text Domain Mismatch
#995Smart Manager – Advanced WooCommerce Bulk Edit & Inventory Management2536792310k+SQL query is not prepared
#996Smart phone field for Gravity Forms255401,3166k+Non-prefixed global variable
#997Spice Blocks255361,3001k+Non-prefixed global variable
#998STAGGS – Product Configurator Toolkit256262,180400Non-prefixed global variable
#999Stylish Cost Calculator – Quote Generator, Lead Gen & Price Estimator256481,0211k+Output is not escaped
#1000SupportCandy – AI Customer Support Ticket System & Live Chatbot Agent254321,35710k+Direct Query