missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

Add a guard near the top of PHP files that are not intended to be requested directly.
Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

References

WordPress Coding Standards

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Added	Updated	Top Issue
#101	Wise Chat	21	470	506	5k+	12 years ago	4 months ago	Output is not escaped
#102	Paysera Payment Gateway for WooCommerce	21	1,866	195	7k+	8 years ago	19 days ago	Exception output is not escaped
#103	Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools	21	786	3,395	30k+	12 years ago	6 days ago	Non-prefixed global variable
#104	Pay For Post with WooCommerce	21	960	1,474	1k+	12 years ago	5 months ago	Non-prefixed global variable
#105	PPOM – Product Addons & Custom Fields for WooCommerce	21	336	1,325	20k+	11 years ago	today	Non-prefixed global variable
#106	Wordfence Security – Firewall, Malware Scan, and Login Security	21	1,592	2,973	5m+	14 years ago	1 month ago	Output is not escaped
#107	WP-Lister Lite for eBay	21	6,697	5,129	2k+	14 years ago	20 days ago	Output is not escaped
#108	WP phpMyAdmin	21	4,528	6,435	50k+	8 years ago	8 months ago	Missing Arg Domain
#109	wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin	21	1,814	1,461	70k+	11 years ago	yesterday	Output is not escaped
#110	Premium Packages – Sell Digital Products Securely	21	2,765	2,444	3k+	8 years ago	6 months ago	Output is not escaped
#111	WPScan – WordPress Security Scanner	21	527	265	8k+	7 years ago	5 months ago	Text Domain Mismatch
#112	Frontend Admin by DynamiApps	22	5,922	3,208	10k+	7 years ago	6 days ago	Text Domain Mismatch
#113	Advanced Ads – Ad Manager & AdSense	22	578	734	100k+	12 years ago	15 days ago	Non-prefixed global variable
#114	Advanced Classifieds & Directory Pro	22	1,229	3,511	2k+	10 years ago	3 months ago	Non-prefixed global variable
#115	Advanced Form Integration — Connect Forms to 200+ Apps	22	5,771	4,678	10k+	7 years ago	5 days ago	wp function not compatible with requires wp
#116	Ajax Load More – Infinite Scroll, Load More, & Lazy Load	22	641	595	40k+	12 years ago	19 days ago	Unsafe printing function
#117	All-in-One Video Gallery	22	911	2,892	20k+	9 years ago	today	Non-prefixed global variable
#118	Booking for Appointments and Events Calendar – Amelia	22	1,489	480	90k+	8 years ago	5 days ago	Exception output is not escaped
#119	Shortcodes and extra features for Phlox theme	22	413	426	90k+	10 years ago	2 months ago	Output is not escaped
#120	Knowledge Base documentation & wiki plugin – BasePress Docs	22	671	1,767	2k+	9 years ago	5 months ago	Non-prefixed global variable
#121	Borderless – Addons and Templates for Elementor	22	438	1,388	5k+	5 years ago	7 months ago	Non-prefixed global variable
#122	Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots	22	1,604	2,019	10k+	9 years ago	13 days ago	Direct Query
#123	BuddyPress	22	583	9,008	100k+	17 years ago	9 months ago	Non-prefixed function
#124	Better WordPress Minify	22	412	484	8k+	15 years ago	9 years ago	Non Singular String Literal Domain
#125	Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms	22	493	295	10k+	9 years ago	3 months ago	Text Domain Mismatch
#126	Divi Carousel Lite – 17+ Carousel Module	22	967	1,275	10k+	4 years ago	4 months ago	Non-prefixed global variable
#127	Cleanup Action Scheduler	22	545	1,306	1k+	4 years ago	1 year ago	Non-prefixed global variable
#128	Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer	22	2,858	1,270	50k+	9 years ago	2 months ago	Text Domain Mismatch
#129	Code Profiler – WordPress Performance Profiling and Debugging Made Easy	22	265	400	8k+	5 years ago	11 days ago	Non-prefixed global variable
#130	Passster – Password Protect Pages and Content	22	539	1,419	10k+	13 years ago	21 days ago	Non-prefixed global variable
#131	Cozy Blocks – Page Builder for Gutenberg Editor & FSE with 500+ Patterns, 57 Blocks & Templates	22	2,167	4,175	7k+	4 years ago	7 days ago	Non-prefixed global variable
#132	RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login	22	3,654	5,061	8k+	12 years ago	yesterday	Non-prefixed global variable
#133	WP Customer Area	22	3,308	941	10k+	13 years ago	2 months ago	Text Domain Mismatch
#134	SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager	22	705	845	8k+	5 years ago	yesterday	Non-prefixed global variable
#135	Data Tables Generator by Supsystic	22	156	144	10k+	11 years ago	yesterday	Exception output is not escaped
#136	Directorist: AI-Powered Business Directory, Listings & Classified Ads	22	443	2,129	20k+	9 years ago	14 days ago	Non-prefixed global variable
#137	Download Manager	22	2,290	1,301	100k+	16 years ago	7 days ago	Output is not escaped
#138	Dynamic QR Code – generator	22	238	208	6k+	4 years ago	1 year ago	Missing direct file access protection
#139	E2Pdf – Export Pdf Tool for WordPress	22	1,075	836	10k+	8 years ago	7 days ago	Unsafe printing function
#140	Easy Social Feed – Social Photos Gallery and Post Feed for WordPress	22	1,567	1,277	30k+	12 years ago	2 months ago	Non-prefixed global variable
#141	EleSpare – News, Magazine and Blog Addons for Elementor	22	733	1,423	10k+	5 years ago	28 days ago	Non-prefixed global variable
#142	Estatik Real Estate Plugin	22	3,049	325	10k+	11 years ago	10 days ago	Text Domain Mismatch
#143	Events Manager – Calendar, Bookings, Tickets, and more!	22	4,722	5,621	70k+	18 years ago	4 days ago	Output is not escaped
#144	Falang multilanguage for WordPress	22	716	769	1k+	7 years ago	12 days ago	Output is not escaped
#145	File Manager Pro – Filester	22	565	391	100k+	6 years ago	1 month ago	Request data is not unslashed
#146	Finale Lite – Sales Countdown Timer & Discount for WooCommerce	22	1,031	451	4k+	9 years ago	1 year ago	Output is not escaped
#147	FireBox Popups – Increase Sales and Grow Your Email List	22	153	812	7k+	5 years ago	8 days ago	Non-prefixed global variable
#148	Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder	22	409	236	700k+	8 years ago	14 days ago	Text Domain Mismatch
#149	Notification Bar, Announcement and Cookie Notice WordPress Plugin – FooBar	22	1,321	1,371	3k+	15 years ago	1 month ago	Non-prefixed global variable
#150	Five Star Restaurant Menu and Food Ordering	22	752	609	5k+	13 years ago	20 days ago	Output is not escaped