missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1551 | DirectoryPress Frontend | 31 | 402 | 563 | 800 | Non-prefixed global variable | ||
| #1552 | Domain Mapping System | Create Microsites with Multiple Alias Domains (multisite optional) | 31 | 113 | 233 | 2k+ | Non-prefixed namespace | ||
| #1553 | Download Plugin | 31 | 78 | 102 | 60k+ | Output is not escaped | ||
| #1554 | Up2pay e-Transactions WooCommerce Payment Gateway | 31 | 459 | 175 | 4k+ | Text Domain Mismatch | ||
| #1555 | EnvoThemes Demo Import | 31 | 221 | 140 | 3k+ | Output is not escaped | ||
| #1556 | Export Order Items for WooCommerce | 31 | 100 | 108 | 1k+ | Text Domain Mismatch | ||
| #1557 | Express Checkout via PayPal for WooCommerce | 31 | 158 | 200 | 800 | Nonce verification recommended | ||
| #1558 | افزونه پیامک حرفه ای فراز اس ام اس | 31 | 89 | 180 | 1k+ | wp function not compatible with requires wp | ||
| #1559 | FastDup – Fastest WordPress Migration & Duplicator | 31 | 83 | 66 | 5k+ | wp function not compatible with requires wp | ||
| #1560 | FraudLabs Pro for WooCommerce | 31 | 169 | 213 | 1k+ | Request data is not unslashed | ||
| #1561 | g-FFL Checkout | 31 | 249 | 300 | 600 | Request data is not unslashed | ||
| #1562 | GS Pinterest Portfolio – Pins Grid, Masonry, User Profile, Popup & Board Widgets | 31 | 402 | 156 | 1k+ | Text Domain Mismatch | ||
| #1563 | HFD ePost Integration | 31 | 186 | 110 | 1k+ | Text Domain Mismatch | ||
| #1564 | OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. | 31 | 213 | 62 | 300k+ | Output is not escaped | ||
| #1565 | HT Easy GA4 – Google Analytics WordPress Plugin | 31 | 475 | 93 | 6k+ | Text Domain Mismatch | ||
| #1566 | HT Mega – Absolute Addons for WPBakery Page Builder | 31 | 2,740 | 115 | 900 | Text Domain Mismatch | ||
| #1567 | Image Hotspot – Map Image Annotation | 31 | 95 | 287 | 3k+ | Non-prefixed global variable | ||
| #1568 | Interactive Image Map Builder | 31 | 160 | 381 | 1k+ | Non-prefixed global variable | ||
| #1569 | Kindeditor For WordPress | 31 | 63 | 130 | 500 | Non-prefixed global variable | ||
| #1570 | Linguise – AI Automatic Multilingual Translation | 31 | 61 | 284 | 1k+ | Non-prefixed global variable | ||
| #1571 | Keywords to Links Converter | 31 | 288 | 144 | 700 | Text Domain Mismatch | ||
| #1572 | Login rebuilder | 31 | 406 | 226 | 20k+ | Non Singular String Literal Domain | ||
| #1573 | Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity | 31 | 122 | 131 | 2k+ | Output is not escaped | ||
| #1574 | LWS Tools | 31 | 104 | 134 | 10k+ | Request data is not unslashed | ||
| #1575 | Mailgun for WordPress | 31 | 144 | 75 | 80k+ | Unsafe printing function | ||
| #1576 | MainWP Dashboard: Self-hosted WordPress Management for Agencies | 31 | 95 | 317 | 20k+ | Interpolated SQL is not prepared | ||
| #1577 | Melapress Login Security | 31 | 69 | 278 | 2k+ | Non-prefixed global variable | ||
| #1578 | Nova Blocks by Pixelgrade | 31 | 209 | 110 | 800 | Output is not escaped | ||
| #1579 | Openpay Cards Plugin | 31 | 166 | 105 | 3k+ | Text Domain Mismatch | ||
| #1580 | Openpay Stores Plugin | 31 | 121 | 75 | 1k+ | Non-prefixed global variable | ||
| #1581 | PanoPress | 31 | 111 | 234 | 2k+ | Output is not escaped | ||
| #1582 | Pop-up | 31 | 103 | 91 | 10k+ | Output is not escaped | ||
| #1583 | Portfolio, Gallery, Product Catalog – Grid KIT Portfolio | 31 | 61 | 329 | 6k+ | Non-prefixed global variable | ||
| #1584 | Post Pay Counter | 31 | 639 | 238 | 1k+ | Output is not escaped | ||
| #1585 | Active Products Tables for WooCommerce. Use constructor to create tables | 31 | 364 | 424 | 1k+ | Output is not escaped | ||
| #1586 | Push notification for Mobile and Web app | 31 | 87 | 83 | 400 | Non Singular String Literal Domain | ||
| #1587 | Qi Blocks | 31 | 46 | 345 | 60k+ | Non-prefixed global variable | ||
| #1588 | Qode Essential Addons | 31 | 55 | 295 | 10k+ | Non-prefixed global variable | ||
| #1589 | Query Monitor | 31 | 44 | 273 | 200k+ | Non-prefixed class | ||
| #1590 | Raffle Play Woocommerce | 31 | 151 | 199 | 800 | Output is not escaped | ||
| #1591 | Re:amaze Helpdesk & Live Chat | 31 | 96 | 115 | 400 | Output is not escaped | ||
| #1592 | reCAPTCHA in WP comments form | 31 | 264 | 60 | 8k+ | Output is not escaped | ||
| #1593 | Redirection | 31 | 39 | 323 | 2m+ | Direct Query | ||
| #1594 | Accordion FAQ – Compatible With All Page Builder (Elementor, Gutenberg) | 31 | 460 | 201 | 30k+ | Non Singular String Literal Domain | ||
| #1595 | Coming Soon Page & Maintenance Mode | 31 | 613 | 266 | 3k+ | Text Domain Mismatch | ||
| #1596 | Social Share Buttons | 31 | 462 | 156 | 1k+ | Text Domain Mismatch | ||
| #1597 | Sidebar Manager Light | 31 | 221 | 76 | 1k+ | Text Domain Mismatch | ||
| #1598 | Simple calendar for Elementor | 31 | 125 | 270 | 500 | Direct Query | ||
| #1599 | Slider Carousel – Image Slider | 31 | 224 | 1,233 | 3k+ | Request data is not unslashed | ||
| #1600 | Smart Keywords Tool – 智能关键词插件 | 31 | 361 | 33 | 600 | Non Singular String Literal Domain |