missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1051WP Google Review Slider251,3662,58430k+Non-prefixed global variable
#1052WP Encryption – No.1 HTTPS plugin & One Click Free SSL Cert, HTTPS Redirect, SSL Security258751,76450k+Non-prefixed global variable
#1053Nested Pages2567456090k+Non-prefixed global variable
#1054WP-Polls2561863940k+Unsafe printing function
#1055WP Popups – WordPress Popup builder2544034230k+Output is not escaped
#1056Perfect Images: Regenerate Thumbnails, Image Sizes, WebP & AVIF2515811860k+Non-prefixed global variable
#1057Bulk Edit Posts and Products in Spreadsheet259349448k+Text Domain Mismatch
#1058SlimStat Analytics251,17787070k+Exception output is not escaped
#1059Smush – Image Optimization, Compression, Lazy Load, WebP & CDN252445681m+Non-prefixed hook name
#1060Wp Social Login and Register Social Counter258073890k+Non-prefixed global variable
#1061WP Statistics – Simple, privacy-friendly Google Analytics alternative256102,465600k+Non-prefixed global variable
#1062WP Super Cache258009891m+Output is not escaped
#1063WP Time Slots Booking Form254391,1371k+Non-prefixed global variable
#1064WP TripAdvisor Review Slider251,0632,5828k+Non-prefixed global variable
#1065WP Yelp Review Slider256001,0861k+Non-prefixed global variable
#1066WPCargo Track & Trace2523955710k+Non-prefixed global variable
#1067Team Members Showcase255911,4944k+Non-prefixed global variable
#1068WPvivid Backup for MainWP258181,79410k+Missing nonce verification
#1069WPvivid — Backup, Migration & Staging259001,461900k+Non-prefixed namespace
#1070Backup, Restore and Migrate your sites with XCloner2523886410k+Input is not sanitized
#1071XT Quick View for WooCommerce251,0621,798400Non-prefixed global variable
#1072YeeMail — Email Template Builder & Customizer25606222600wp function not compatible with requires wp
#1073ActiveCampaign for WooCommerce265411905k+Exception output is not escaped
#1074AfterShip Tracking – All-In-One WooCommerce Order Tracking (Free plan available)262862918k+Text Domain Mismatch
#1075AI Content Writing Assistant261,069516700Text Domain Mismatch
#1076Attesa Extra263161511k+Output is not escaped
#1077A WP Life Companion261,7034586k+Text Domain Mismatch
#1078Bangladeshi Payments Mobile – QR Code & Transaction Reports265351,2801k+Non-prefixed global variable
#1079Blog Floating Button267052409k+Output is not escaped
#1080Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar265262635k+Output is not escaped
#1081Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More269727010k+error log error log
#1082Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty26113671400k+Non-prefixed global variable
#1083Translate WordPress with ConveyThis – AI Multilingual Plugin261592971k+Non-prefixed global variable
#1084CP Multi View Events Calendar2686439900Non-prefixed global variable
#1085Cyclone Demo Importer261,77844810k+Text Domain Mismatch
#1086WP Frontend Admin – Display WP Admin Pages in the Frontend26347337400Non Singular String Literal Domain
#1087Ditty – Responsive News Tickers, Sliders, and Lists2656148430k+Output is not escaped
#1088Accept Donations with PayPal & Stripe2691657210k+Unsafe printing function
#1089Easy Post Views Count265341,1802k+Non-prefixed global variable
#1090ELEX WooCommerce Google Shopping (Google Product Feed)262262421k+Text Domain Mismatch
#1091Event Monster – Event Manager, Ticket Booking & Registration26781781600Non-prefixed global variable
#1092RSS Redirect & Feedburner Alternative262772721k+Output is not escaped
#1093FG Drupal to WordPress26275100700Unsafe printing function
#1094FG PrestaShop to WooCommerce2625494900Unsafe printing function
#1095FlagShip WooCommerce Shipping26495188400Non Singular String Literal Domain
#1096Fluent Support – Helpdesk & Customer Support Ticket System269227210k+Direct Query
#1097Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager2611359790k+Non-prefixed global variable
#1098FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.)265944172k+Exception output is not escaped
#1099FV Antispam26332239900Output is not escaped
#1100Translate WordPress – Google Language Translator26200317100k+Non-prefixed global variable