missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1301Redis Object Cache28151103400k+Exception output is not escaped
#1302Brilliant Web-to-Lead for Salesforce282472442k+Text Domain Mismatch
#1303Secure Downloads28616406600Output is not escaped
#1304Transliterator – Multilingual and Multi-script Text Conversion283053223k+Output is not escaped
#1305Slider Pro285835274k+Unsafe printing function
#1306Sparkle Demo Importer283071665k+Text Domain Mismatch
#1307ST Elementor Addons28224374500Non-prefixed global variable
#1308Tab – Accordion, FAQ281045421k+Non-prefixed global variable
#1309Temporary Login Without Password28128131100k+wp function not compatible with requires wp
#1310Terms descriptions282224231k+Non-prefixed function
#1311Themesflat Addons For Elementor2871422740k+Output is not escaped
#1312Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor2829129220k+Output is not escaped
#1313Ultimate FAQ Accordion Plugin2838622730k+Unsafe printing function
#1314Jetpack VaultPress287136210k+Missing nonce verification
#1315VG WORT METIS28150317900Nonce verification recommended
#1316WC Fields Factory281943697k+Nonce verification recommended
#131710WebSocial2858418510k+Unsafe printing function
#1318WeeConnectPay – Clover Payment Gateway for WooCommerce28179171500Exception output is not escaped
#1319PayZen for WooCommerce28258214600Output is not escaped
#1320Product Gallery Slider, Additional Variation Images for WooCommerce2855231620k+Output is not escaped
#1321Dynamic Product Gallery for WooCommerce284143011k+Output is not escaped
#1322Email Inquiry & Cart Options for WooCommerce28181273800Output is not escaped
#1323Product Sort and Display for WooCommerce281902292k+Output is not escaped
#1324WP ADA Compliance Check Basic287851773k+Text Domain Mismatch
#1325WP Booking System – Booking Calendar2850254920k+Output is not escaped
#1326WP GoToWebinar28207207700Non-prefixed function
#1327WP Mapbox GL JS Maps281041191k+Output is not escaped
#1328Connect Matomo – Analytics Dashboard for WordPress2810010260k+Missing Translators Comment
#1329WP Travel Gutenberg Blocks28485157900Output is not escaped
#1330WhyDonate – FREE Donate button – Crowdfunding – Fundraising28216328800Non-prefixed global variable
#1331WP YouTube Lyte2820417820k+Non-prefixed global variable
#1332WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN)2820921710k+Exception output is not escaped
#1333WPS Bidouille2847221510k+Output is not escaped
#1334WP Synchro – The Ultimate WordPress Migration Tool282432442k+Missing Translators Comment
#1335WxSync-标准云微信公众号文章免费采集-任意公众号自动采集付费购买2857138500Request data is not unslashed
#1336YITH WooCommerce Product Bundles284041,4803k+Non-prefixed global variable
#1337Accordion Slider293914472k+Unsafe printing function
#1338Accordion Slider Gallery293791421k+Text Domain Mismatch
#1339Advanced coupon for WooCommerce29472242900Text Domain Mismatch
#1340Adminimize29296691200k+Non-prefixed global variable
#1341Alt Text AI – Automatically generate image alt text for SEO and accessibility297228020k+Non-prefixed global variable
#1342AppPresser – Mobile App Framework292622141k+Text Domain Mismatch
#1343aThemeArt Theme Helper292061512k+Non-prefixed global variable
#1344aThemes Starter Sites2926821440k+Text Domain Mismatch
#1345Attribute Stock for WooCommerce – Shared Stock & Variable Quantities (Lite Version)294813132k+Text Domain Mismatch
#1346Better Google Analytics293768692k+Non-prefixed global variable
#1347Bitcoin Payments – Blockonomics292082272k+Output is not escaped
#1348BNE Testimonials295211021k+Output is not escaped
#1349Order Delivery Date Time & Pickup for WooCommerce29667244500Output is not escaped
#1350Branded Social Images – Open Graph Images with logo and extra text layer2925491900Non Singular String Literal Domain