missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1701 | PilotPress | 32 | 150 | 285 | 900 | Output is not escaped | ||
| #1702 | TS Poll – Survey, Versus Poll, Image Poll, Video Poll | 32 | 570 | 171 | 4k+ | Text Domain Mismatch | ||
| #1703 | Post and Page Builder by BoldGrid – Visual Drag and Drop Editor | 32 | 348 | 258 | 50k+ | Output is not escaped | ||
| #1704 | Posti Shipping | 32 | 664 | 157 | 1k+ | Text Domain Mismatch | ||
| #1705 | Volunteer Sign Up Sheets | 32 | 967 | 401 | 1k+ | Output is not escaped | ||
| #1706 | Quick Featured Images | 32 | 436 | 323 | 50k+ | Non-prefixed global variable | ||
| #1707 | Relevanssi – A Better Search | 32 | 86 | 266 | 100k+ | Missing direct file access protection | ||
| #1708 | Responsive Filterable Portfolio Gallery – Media Grid & Video Portfolio | 32 | 436 | 163 | 1k+ | Output is not escaped | ||
| #1709 | Restrict Usernames Emails Characters | 32 | 327 | 367 | 1k+ | Output is not escaped | ||
| #1710 | WowRevenue – Product Bundles & Bulk Discounts | 32 | 13 | 2,027 | 1k+ | Non-prefixed global variable | ||
| #1711 | Revolut Gateway for WooCommerce | 32 | 85 | 157 | 7k+ | Input is not sanitized | ||
| #1712 | RSS for Yandex Turbo | 32 | 687 | 307 | 20k+ | Unsafe printing function | ||
| #1713 | Showcase IDX Real Estate Search & Lead Capture | 32 | 123 | 52 | 2k+ | Output is not escaped | ||
| #1714 | Simple Ajax Chat – Add a Fast, Secure Chat Box | 32 | 107 | 266 | 2k+ | Output is not escaped | ||
| #1715 | Site Search 360 | 32 | 202 | 213 | 400 | Output is not escaped | ||
| #1716 | Sky Addons for Elementor | 32 | 85 | 351 | 2k+ | Non-prefixed namespace | ||
| #1717 | Spoki – Chat Buttons and WooCommerce Notifications | 32 | 1,074 | 260 | 700 | Unsafe printing function | ||
| #1718 | Stock Locations for WooCommerce | 32 | 549 | 360 | 1k+ | Output is not escaped | ||
| #1719 | Stock Sync for WooCommerce | 32 | 362 | 232 | 1k+ | Text Domain Mismatch | ||
| #1720 | Subscribe2 – Form, Email Subscribers & Newsletters | 32 | 32 | 410 | 10k+ | Direct Query | ||
| #1721 | System Dashboard | 32 | 91 | 205 | 1k+ | Request data is not unslashed | ||
| #1722 | Tainacan Support for Blocksy | 32 | 244 | 526 | 500 | Non-prefixed global variable | ||
| #1723 | Theme My Login | 32 | 251 | 549 | 60k+ | Non-prefixed function | ||
| #1724 | TK Google Fonts GDPR Compliant | 32 | 582 | 34 | 1k+ | Output is not escaped | ||
| #1725 | Tumult Hype Animations | 32 | 56 | 117 | 1k+ | Output is not escaped | ||
| #1726 | UiCore Blocks – Free WordPress Gutenberg Blocks | 32 | 59 | 394 | 500 | Non-prefixed global variable | ||
| #1727 | Ultimate Store Kit – Addon For WooCommerce, EDD and Elementor | 32 | 57 | 293 | 4k+ | Post Not In exclude | ||
| #1728 | Unbounce Landing Pages | 32 | 169 | 86 | 10k+ | Output is not escaped | ||
| #1729 | Secure Client Portal and Private File Sharing Plugin – User Private Files | 32 | 183 | 525 | 1k+ | Non-prefixed global variable | ||
| #1730 | User Registration Using Contact Form 7 | 32 | 103 | 15 | 500 | wp function not compatible with requires wp | ||
| #1731 | Multi Currency For WooCommerce | 32 | 87 | 70 | 1k+ | Non-prefixed global variable | ||
| #1732 | Webdzier Companion | 32 | 539 | 89 | 800 | Text Domain Mismatch | ||
| #1733 | WebwinkelKeur: Webshop keurmerk & reviews for WordPress | 32 | 200 | 47 | 4k+ | Short PHP open tag found | ||
| #1734 | Easy 3D Viewer | 32 | 399 | 241 | 1k+ | Text Domain Mismatch | ||
| #1735 | Payment Gateway for Redsys & WooCommerce Lite | 32 | 125 | 75 | 20k+ | Text Domain Mismatch | ||
| #1736 | WooMS | 32 | 199 | 58 | 500 | Output is not escaped | ||
| #1737 | WP 2-step verification | 32 | 154 | 65 | 1k+ | Output is not escaped | ||
| #1738 | WP Bannerize Pro | 32 | 281 | 216 | 800 | Text Domain Mismatch | ||
| #1739 | WP fail2ban – Advanced Security | 32 | 75 | 153 | 60k+ | Dynamic hook name | ||
| #1740 | wp-jalali | 32 | 219 | 66 | 10k+ | Text Domain Mismatch | ||
| #1741 | WP Popup | 32 | 539 | 65 | 1k+ | Text Domain Mismatch | ||
| #1742 | WP-Stats | 32 | 237 | 126 | 2k+ | Output is not escaped | ||
| #1743 | WP Weixin | 32 | 60 | 152 | 400 | Non-prefixed constant | ||
| #1744 | WPCasa – Real Estate for WordPress | 32 | 85 | 429 | 1k+ | Non-prefixed global variable | ||
| #1745 | Privacy Policy Generator – WPLP Legal Pages | 32 | 26 | 409 | 10k+ | Non-prefixed global variable | ||
| #1746 | WT GeoTargeting | 32 | 89 | 43 | 1k+ | Output is not escaped | ||
| #1747 | YITH Infinite Scrolling | 32 | 387 | 1,417 | 10k+ | Non-prefixed global variable | ||
| #1748 | YITH WooCommerce Badge Management | 32 | 413 | 1,446 | 10k+ | Non-prefixed global variable | ||
| #1749 | YITH WooCommerce Compare | 32 | 422 | 1,508 | 100k+ | Non-prefixed global variable | ||
| #1750 | YITH WooCommerce Quick View | 32 | 388 | 1,420 | 90k+ | Non-prefixed global variable |