missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1101Hide Admin Bar Based on User Roles265491,34520k+Non-prefixed global variable
#1102Ibtana – WordPress Website Builder2617340910k+Non-prefixed global variable
#1103Icegram Collect – Easy Form, Lead Collection and Subscription plugin264232922k+Output is not escaped
#1104Integrate Razorpay for Contact Form 72615297500curl curl setopt
#1105Kadence Central – Site Management, Backups, Security, and Reporting2646221330k+Text Domain Mismatch
#1106JustTables – WooCommerce Product Table26534652600Non-prefixed global variable
#1107Kirki – Freeform Page Builder, Website Builder & Customizer26191803500k+Nonce verification recommended
#1108Klarna for WooCommerce2628450730k+Dynamic hook name
#1109Login Widget With Shortcode263351986k+wp function not compatible with requires wp
#1110MakeStories (for Google Web Stories)26117416600Nonce verification recommended
#1111MaxGalleria262785602k+Non-prefixed global variable
#1112Media File Renamer: Rename for better SEO (AI-Powered)2615417040k+Direct Query
#1113Hotel Booking266909404k+Unsafe printing function
#1114Omise Payments263582562k+Output is not escaped
#1115Online Contact Widget-多合一在线客服插件2670880800Non Singular String Literal Domain
#1116OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)262725996k+Request data is not unslashed
#1117Open User Map – Interactive Leaflet Maps2689598810k+Non-prefixed global variable
#1118Organic Builder Widgets – Simple WordPress Page Builder261,0341253k+Output is not escaped
#1119Paytium: Mollie payment forms & donations265065513k+Unsafe printing function
#1120LoginWP (Formerly Peter's Login Redirect)2640127890k+Output is not escaped
#1121Crowdsignal Dashboard – Polls, Surveys & more26481491200k+Unsafe printing function
#1122Polylang2636564800k+Non-prefixed hook name
#1123Portfolio by BestWebSoft – Work and Projects Presentation Plugin for WordPress26525240600Text Domain Mismatch
#1124Premmerce User Roles265971,357600Non-prefixed global variable
#1125Pressidium Cookie Consent262039510k+Exception output is not escaped
#1126Product Table For WooCommerce26191858600Non-prefixed global variable
#1127Role Based Pricing for Woo by Meow Crew265481,3542k+Non-prefixed global variable
#1128Send Users Email – Email Subscribers, Email Marketing Newsletter261884155k+Non-prefixed global variable
#1129SEO Booster264031,3311k+Non-prefixed global variable
#1130SP Move Login268812156k+Text Domain Mismatch
#1131Video Gallery – Vimeo and YouTube Gallery265617946k+Non-prefixed global variable
#1132Carousel, Recent Post Slider and Banner Slider265281,4098k+Non-prefixed global variable
#1133StoreGrowth: Smart Sales Booster for WooCommerce | BOGO, Upsells, Direct Checkout, Quick View, Side Cart261254202k+Non-prefixed global variable
#1134Subscriber by BestWebSoft26550376900Text Domain Mismatch
#1135SV Proven Expert26747380900Output is not escaped
#1136Tag Groups is the Advanced Way to Display Your Taxonomy Terms263512323k+Unsafe printing function
#1137Theater for WordPress26348344600Output is not escaped
#1138Ultimate Reviews26515345500Output is not escaped
#1139UpdraftCentral Dashboard262671805k+Missing Translators Comment
#1140User Avatar261041734k+Non-prefixed constant
#1141User Submitted Posts – Enable Users to Submit Posts from the Front End2669939610k+Text Domain Mismatch
#1142VikWidgetsLoader – Collection of Widgets261,1825381k+Output is not escaped
#1143Virtue/Ascend/Pinnacle Toolkit2660530030k+Output is not escaped
#1144Visitors Online by BestWebSoft265122691k+Text Domain Mismatch
#1145Conditional Fees for WooCommerce Lite265661,303500Non-prefixed global variable
#1146Cart Abandonment Recovery for WooCommerce – Recover Lost Sales with Automated Emails2651325300k+Direct Query
#1147Parcel Pro26171220600Output is not escaped
#1148Premmerce SEO for WooCommerce265501,2851k+Non-prefixed global variable
#1149Set Price Note (Units, Offers, Editions) for WooCommerce265961,307800Non-prefixed global variable
#1150XL NMI Gateway for WooCommerce266954361k+Text Domain Mismatch