missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1351 | Businessx Extensions | 29 | 337 | 529 | 1k+ | Non-prefixed function | ||
| #1352 | Chained Quiz | 29 | 1,132 | 721 | 1k+ | Text Domain Mismatch | ||
| #1353 | Countdown, Coming Soon, Maintenance – Countdown & Clock | 29 | 1,735 | 143 | 10k+ | Non Singular String Literal Domain | ||
| #1354 | WPCS – WordPress Currency Switcher Professional | 29 | 84 | 358 | 900 | Non-prefixed global variable | ||
| #1355 | Custom Field Template | 29 | 568 | 530 | 30k+ | wp function not compatible with requires wp | ||
| #1356 | DB Cache Reloaded Fix | 29 | 133 | 42 | 2k+ | Output is not escaped | ||
| #1357 | Di Themes Demo Site Importer | 29 | 343 | 183 | 1k+ | Text Domain Mismatch | ||
| #1358 | Display Tweets | 29 | 135 | 135 | 900 | Non-prefixed global variable | ||
| #1359 | Document Gallery | 29 | 183 | 98 | 8k+ | Output is not escaped | ||
| #1360 | Interactive Image Map Plugin – Draw Attention | 29 | 620 | 227 | 20k+ | Output is not escaped | ||
| #1361 | ECPay Ecommerce for WooCommerce | 29 | 248 | 370 | 2k+ | Missing nonce verification | ||
| #1362 | Everest Toolkit | 29 | 145 | 141 | 1k+ | Missing Translators Comment | ||
| #1363 | FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider | 29 | 74 | 78 | 600k+ | Missing Translators Comment | ||
| #1364 | Getwid – Gutenberg Blocks | 29 | 139 | 173 | 50k+ | Non-prefixed global variable | ||
| #1365 | Gianism | 29 | 391 | 154 | 700 | Text Domain Mismatch | ||
| #1366 | reCaptcha by BestWebSoft | 29 | 474 | 272 | 100k+ | Text Domain Mismatch | ||
| #1367 | Easy HTTPS Redirection (SSL) | 29 | 266 | 152 | 100k+ | Unsafe printing function | ||
| #1368 | Icyclub | 29 | 557 | 139 | 10k+ | Output is not escaped | ||
| #1369 | Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier ) | 29 | 20 | 826 | 20k+ | Non-prefixed namespace | ||
| #1370 | Interactive World Map | 29 | 684 | 341 | 1k+ | Text Domain Mismatch | ||
| #1371 | Jetpack Boost – Website Speed, Performance and Critical CSS | 29 | 659 | 247 | 200k+ | Text Domain Mismatch | ||
| #1372 | Wishlist for WooCommerce | 29 | 610 | 296 | 600 | Output is not escaped | ||
| #1373 | Kits, Templates and Patterns | 29 | 380 | 91 | 5k+ | Text Domain Mismatch | ||
| #1374 | Laposta WooCommerce | 29 | 96 | 115 | 500 | Non-prefixed global variable | ||
| #1375 | Liteweight Podcast – Host and Embed Podcast Episodes | 29 | 536 | 239 | 500 | Output is not escaped | ||
| #1376 | Login Me Now – Passwordless, Magic Link, OTP & Social Login for WordPress | 29 | 86 | 233 | 500 | Nonce verification recommended | ||
| #1377 | Meow Gallery | 29 | 113 | 182 | 10k+ | Direct Query | ||
| #1378 | miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) | 29 | 92 | 898 | 10k+ | Request data is not unslashed | ||
| #1379 | Music Player for WooCommerce | 29 | 107 | 156 | 1k+ | Non-prefixed global variable | ||
| #1380 | Page Restrict for WooCommerce | 29 | 579 | 374 | 700 | Text Domain Mismatch | ||
| #1381 | Page View Count | 29 | 106 | 246 | 10k+ | Dynamic hook name | ||
| #1382 | pCloud WP Backup | 29 | 120 | 73 | 1k+ | Exception output is not escaped | ||
| #1383 | PhastPress | 29 | 95 | 52 | 10k+ | Exception output is not escaped | ||
| #1384 | PlatiOnline Payments | 29 | 304 | 110 | 700 | Output is not escaped | ||
| #1385 | Post Timeline | 29 | 91 | 200 | 800 | Missing nonce verification | ||
| #1386 | Pósturinn\'s Shipping with WooCommerce | 29 | 713 | 551 | 500 | Text Domain Mismatch | ||
| #1387 | Recipe Card Blocks Lite | 29 | 151 | 408 | 10k+ | Non-prefixed global variable | ||
| #1388 | Relevant – Related, Featured, Latest, and Popular Posts by BestWebSoft | 29 | 487 | 262 | 800 | Text Domain Mismatch | ||
| #1389 | Responder | 29 | 77 | 185 | 3k+ | Non-prefixed global variable | ||
| #1390 | SamedayCourier Shipping | 29 | 336 | 269 | 4k+ | Non Singular String Literal Domain | ||
| #1391 | Security Ninja – WordPress Security & Firewall | 29 | 149 | 347 | 7k+ | Direct Query | ||
| #1392 | Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce | 29 | 148 | 245 | 5k+ | Unsafe printing function | ||
| #1393 | Page Builder by SiteOrigin | 29 | 266 | 215 | 400k+ | Output is not escaped | ||
| #1394 | Slider by BestWebSoft | 29 | 478 | 336 | 400 | Text Domain Mismatch | ||
| #1395 | Social Engine | 29 | 133 | 90 | 600 | Exception output is not escaped | ||
| #1396 | SQLite Database Integration | 29 | 161 | 89 | 3k+ | Exception output is not escaped | ||
| #1397 | BuddyPress Builder for Elementor – BuddyBuilder | 29 | 348 | 329 | 1k+ | Text Domain Mismatch | ||
| #1398 | SureForms – Drag & Drop Contact Form & Form Builder, Payment Form, Survey, Quiz & Calculator | 29 | 336 | 198 | 500k+ | Text Domain Mismatch | ||
| #1399 | SureMembers – Membership & Content Restriction Plugin | 29 | 359 | 248 | 1k+ | Text Domain Mismatch | ||
| #1400 | Themify Popup | 29 | 232 | 108 | 8k+ | Text Domain Mismatch |