missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1351Businessx Extensions293375291k+Non-prefixed function
#1352Chained Quiz291,1327211k+Text Domain Mismatch
#1353Countdown, Coming Soon, Maintenance – Countdown & Clock291,73514310k+Non Singular String Literal Domain
#1354WPCS – WordPress Currency Switcher Professional2984358900Non-prefixed global variable
#1355Custom Field Template2956853030k+wp function not compatible with requires wp
#1356DB Cache Reloaded Fix29133422k+Output is not escaped
#1357Di Themes Demo Site Importer293431831k+Text Domain Mismatch
#1358Display Tweets29135135900Non-prefixed global variable
#1359Document Gallery29183988k+Output is not escaped
#1360Interactive Image Map Plugin – Draw Attention2962022720k+Output is not escaped
#1361ECPay Ecommerce for WooCommerce292483702k+Missing nonce verification
#1362Everest Toolkit291451411k+Missing Translators Comment
#1363FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider297478600k+Missing Translators Comment
#1364Getwid – Gutenberg Blocks2913917350k+Non-prefixed global variable
#1365Gianism29391154700Text Domain Mismatch
#1366reCaptcha by BestWebSoft29474272100k+Text Domain Mismatch
#1367Easy HTTPS Redirection (SSL)29266152100k+Unsafe printing function
#1368Icyclub2955713910k+Output is not escaped
#1369Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier )292082620k+Non-prefixed namespace
#1370Interactive World Map296843411k+Text Domain Mismatch
#1371Jetpack Boost – Website Speed, Performance and Critical CSS29659247200k+Text Domain Mismatch
#1372Wishlist for WooCommerce29610296600Output is not escaped
#1373Kits, Templates and Patterns29380915k+Text Domain Mismatch
#1374Laposta WooCommerce2996115500Non-prefixed global variable
#1375Liteweight Podcast – Host and Embed Podcast Episodes29536239500Output is not escaped
#1376Login Me Now – Passwordless, Magic Link, OTP & Social Login for WordPress2986233500Nonce verification recommended
#1377Meow Gallery2911318210k+Direct Query
#1378miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)299289810k+Request data is not unslashed
#1379Music Player for WooCommerce291071561k+Non-prefixed global variable
#1380Page Restrict for WooCommerce29579374700Text Domain Mismatch
#1381Page View Count2910624610k+Dynamic hook name
#1382pCloud WP Backup29120731k+Exception output is not escaped
#1383PhastPress29955210k+Exception output is not escaped
#1384PlatiOnline Payments29304110700Output is not escaped
#1385Post Timeline2991200800Missing nonce verification
#1386Pósturinn\'s Shipping with WooCommerce29713551500Text Domain Mismatch
#1387Recipe Card Blocks Lite2915140810k+Non-prefixed global variable
#1388Relevant – Related, Featured, Latest, and Popular Posts by BestWebSoft29487262800Text Domain Mismatch
#1389Responder29771853k+Non-prefixed global variable
#1390SamedayCourier Shipping293362694k+Non Singular String Literal Domain
#1391Security Ninja – WordPress Security & Firewall291493477k+Direct Query
#1392Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce291482455k+Unsafe printing function
#1393Page Builder by SiteOrigin29266215400k+Output is not escaped
#1394Slider by BestWebSoft29478336400Text Domain Mismatch
#1395Social Engine2913390600Exception output is not escaped
#1396SQLite Database Integration29161893k+Exception output is not escaped
#1397BuddyPress Builder for Elementor – BuddyBuilder293483291k+Text Domain Mismatch
#1398SureForms – Drag & Drop Contact Form & Form Builder, Payment Form, Survey, Quiz & Calculator29336198500k+Text Domain Mismatch
#1399SureMembers – Membership & Content Restriction Plugin293592481k+Text Domain Mismatch
#1400Themify Popup292321088k+Text Domain Mismatch