missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1551DirectoryPress Frontend31402563800Non-prefixed global variable
#1552Domain Mapping System | Create Microsites with Multiple Alias Domains (multisite optional)311132332k+Non-prefixed namespace
#1553Download Plugin317810260k+Output is not escaped
#1554Up2pay e-Transactions WooCommerce Payment Gateway314591754k+Text Domain Mismatch
#1555EnvoThemes Demo Import312211403k+Output is not escaped
#1556Export Order Items for WooCommerce311001081k+Text Domain Mismatch
#1557Express Checkout via PayPal for WooCommerce31158200800Nonce verification recommended
#1558افزونه پیامک حرفه ای فراز اس ام اس31891801k+wp function not compatible with requires wp
#1559FastDup – Fastest WordPress Migration & Duplicator3183665k+wp function not compatible with requires wp
#1560FraudLabs Pro for WooCommerce311692131k+Request data is not unslashed
#1561g-FFL Checkout31249300600Request data is not unslashed
#1562GS Pinterest Portfolio – Pins Grid, Masonry, User Profile, Popup & Board Widgets314021561k+Text Domain Mismatch
#1563HFD ePost Integration311861101k+Text Domain Mismatch
#1564OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.3121362300k+Output is not escaped
#1565HT Easy GA4 – Google Analytics WordPress Plugin31475936k+Text Domain Mismatch
#1566HT Mega – Absolute Addons for WPBakery Page Builder312,740115900Text Domain Mismatch
#1567Image Hotspot – Map Image Annotation31952873k+Non-prefixed global variable
#1568Interactive Image Map Builder311603811k+Non-prefixed global variable
#1569Kindeditor For WordPress3163130500Non-prefixed global variable
#1570Linguise – AI Automatic Multilingual Translation31612841k+Non-prefixed global variable
#1571Keywords to Links Converter31288144700Text Domain Mismatch
#1572Login rebuilder3140622620k+Non Singular String Literal Domain
#1573Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity311221312k+Output is not escaped
#1574LWS Tools3110413410k+Request data is not unslashed
#1575Mailgun for WordPress311447580k+Unsafe printing function
#1576MainWP Dashboard: Self-hosted WordPress Management for Agencies319531720k+Interpolated SQL is not prepared
#1577Melapress Login Security31692782k+Non-prefixed global variable
#1578Nova Blocks by Pixelgrade31209110800Output is not escaped
#1579Openpay Cards Plugin311661053k+Text Domain Mismatch
#1580Openpay Stores Plugin31121751k+Non-prefixed global variable
#1581PanoPress311112342k+Output is not escaped
#1582Pop-up311039110k+Output is not escaped
#1583Portfolio, Gallery, Product Catalog – Grid KIT Portfolio31613296k+Non-prefixed global variable
#1584Post Pay Counter316392381k+Output is not escaped
#1585Active Products Tables for WooCommerce. Use constructor to create tables313644241k+Output is not escaped
#1586Push notification for Mobile and Web app318783400Non Singular String Literal Domain
#1587Qi Blocks314634560k+Non-prefixed global variable
#1588Qode Essential Addons315529510k+Non-prefixed global variable
#1589Query Monitor3144273200k+Non-prefixed class
#1590Raffle Play Woocommerce31151199800Output is not escaped
#1591Re:amaze Helpdesk & Live Chat3196115400Output is not escaped
#1592reCAPTCHA in WP comments form31264608k+Output is not escaped
#1593Redirection31393232m+Direct Query
#1594Accordion FAQ – Compatible With All Page Builder (Elementor, Gutenberg)3146020130k+Non Singular String Literal Domain
#1595Coming Soon Page & Maintenance Mode316132663k+Text Domain Mismatch
#1596Social Share Buttons314621561k+Text Domain Mismatch
#1597Sidebar Manager Light31221761k+Text Domain Mismatch
#1598Simple calendar for Elementor31125270500Direct Query
#1599Slider Carousel – Image Slider312241,2333k+Request data is not unslashed
#1600Smart Keywords Tool – 智能关键词插件3136133600Non Singular String Literal Domain