missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1651Speed Kit32296732k+Output is not escaped
#1652Better Chat Support for Messenger32731031k+Interpolated SQL is not prepared
#1653Better Robots.txt – AI-Ready Crawl Control & Bot Governance3255835k+error log error log
#1654Blog2Social: Social Media Auto Post & Scheduler32795750k+Direct Query
#1655Bosa Elementor Addons and Templates for WooCommerce324016520k+slow db query tax query
#1656BP Classic326642166k+Unsafe printing function
#1657BuddyPress for LearnDash321902841k+Output is not escaped
#1658Quantity Discounts, Breaks & Product Bundles for Woocommerce By Bundler32147319400Direct Query
#1659Child Theme Configurator32442267300k+Unsafe printing function
#1660Vimeotheque – Vimeo WordPress Plugin & Video Gallery326422642k+Unsafe printing function
#1661Color and Image Swatches for Variable Product Attributes321731111k+Output is not escaped
#1662Ultimate WooCommerce Filters32322207600Unsafe printing function
#1663Contact Form Builder by vcita32666174700Text Domain Mismatch
#1664Cooked – Recipe Management324622753k+Output is not escaped
#1665CSV Import and Exporter32831381k+Non-prefixed global variable
#1666Currency Switcher for WooCommerce3235726310k+Text Domain Mismatch
#1667DHL eCommerce (Benelux) for WooCommerce322223302k+Nonce verification recommended
#1668Download Attachments32691888k+Non-prefixed hook name
#1669Enter Addons – Ultimate Template Builder for Elementor3282721k+Output is not escaped
#1670Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)325601985k+Text Domain Mismatch
#1671Fable Extra32792824k+Non-prefixed global variable
#1672AC's Loan Calculator32246187400Unsafe printing function
#1673FA Lite – WP responsive slider plugin32726140500Unsafe printing function
#1674Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages32537768k+Nonce verification recommended
#1675Gallery Box32395431k+Text Domain Mismatch
#1676GlotPress32403103500Unsafe printing function
#1677Insights from Google PageSpeed3241447520k+Text Domain Mismatch
#1678GSheetConnector For Ninja Forms32165931k+Unsafe printing function
#1679GSheetConnector For WPForms – WPForms Google Sheets Integration (Real-Time Sync)321201458k+Non-prefixed global variable
#1680Translate WordPress with GTranslate3282364900k+Non-prefixed global variable
#1681Gwolle Guestbook3226952720k+Output is not escaped
#1682Honeypot Toolkit32155770400Missing nonce verification
#1683HTML5 jQuery Audio Player322511531k+Unsafe printing function
#1684Image Slider Slideshow324091712k+Text Domain Mismatch
#1685RealHomes Stripe Payments3220133500Exception output is not escaped
#1686Jetpack VaultPress Backup3255421120k+Text Domain Mismatch
#1687Juiz Last Tweet Widget3213653500Output is not escaped
#1688Manager for IcoMoon3227068400Short PHP open tag found
#1689MapPress Maps for WordPress3269513330k+Missing Arg Domain
#1690Muslim Prayer Time-Salah/Iqamah32155179400date date
#1691MetaSlider Gallery – Image Gallery, Lightbox Galleries, Modal Windows321596210k+Output is not escaped
#1692WP Mobile Menu – The Mobile-Friendly Responsive Menu3299019570k+Output is not escaped
#1693Notice Bar3295284700Non-prefixed global variable
#1694Opal Mega Menu32419119400Text Domain Mismatch
#1695Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation32462411m+Text Domain Mismatch
#1696Organization chart321873345k+SQL query is not prepared
#1697DEPRECATED – Shipmondo – A complete shipping solution for WooCommerce321661195k+Output is not escaped
#1698Account Engagement32115742k+Output is not escaped
#1699Barion Payment Gateway for WooCommerce32671526k+Non-prefixed global variable
#1700Autopay dla WooCommerce329583900Output is not escaped