missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1701PilotPress32150285900Output is not escaped
#1702TS Poll – Survey, Versus Poll, Image Poll, Video Poll325701714k+Text Domain Mismatch
#1703Post and Page Builder by BoldGrid – Visual Drag and Drop Editor3234825850k+Output is not escaped
#1704Posti Shipping326641571k+Text Domain Mismatch
#1705Volunteer Sign Up Sheets329674011k+Output is not escaped
#1706Quick Featured Images3243632350k+Non-prefixed global variable
#1707Relevanssi – A Better Search3286266100k+Missing direct file access protection
#1708Responsive Filterable Portfolio Gallery – Media Grid & Video Portfolio324361631k+Output is not escaped
#1709Restrict Usernames Emails Characters323273671k+Output is not escaped
#1710WowRevenue – Product Bundles & Bulk Discounts32132,0271k+Non-prefixed global variable
#1711Revolut Gateway for WooCommerce32851577k+Input is not sanitized
#1712RSS for Yandex Turbo3268730720k+Unsafe printing function
#1713Showcase IDX Real Estate Search & Lead Capture32123522k+Output is not escaped
#1714Simple Ajax Chat – Add a Fast, Secure Chat Box321072662k+Output is not escaped
#1715Site Search 36032202213400Output is not escaped
#1716Sky Addons for Elementor32853512k+Non-prefixed namespace
#1717Spoki – Chat Buttons and WooCommerce Notifications321,074260700Unsafe printing function
#1718Stock Locations for WooCommerce325493601k+Output is not escaped
#1719Stock Sync for WooCommerce323622321k+Text Domain Mismatch
#1720Subscribe2 – Form, Email Subscribers & Newsletters323241010k+Direct Query
#1721System Dashboard32912051k+Request data is not unslashed
#1722Tainacan Support for Blocksy32244526500Non-prefixed global variable
#1723Theme My Login3225154960k+Non-prefixed function
#1724TK Google Fonts GDPR Compliant32582341k+Output is not escaped
#1725Tumult Hype Animations32561171k+Output is not escaped
#1726UiCore Blocks – Free WordPress Gutenberg Blocks3259394500Non-prefixed global variable
#1727Ultimate Store Kit – Addon For WooCommerce, EDD and Elementor32572934k+Post Not In exclude
#1728Unbounce Landing Pages321698610k+Output is not escaped
#1729Secure Client Portal and Private File Sharing Plugin – User Private Files321835251k+Non-prefixed global variable
#1730User Registration Using Contact Form 73210315500wp function not compatible with requires wp
#1731Multi Currency For WooCommerce3287701k+Non-prefixed global variable
#1732Webdzier Companion3253989800Text Domain Mismatch
#1733WebwinkelKeur: Webshop keurmerk & reviews for WordPress32200474k+Short PHP open tag found
#1734Easy 3D Viewer323992411k+Text Domain Mismatch
#1735Payment Gateway for Redsys & WooCommerce Lite321257520k+Text Domain Mismatch
#1736WooMS3219958500Output is not escaped
#1737WP 2-step verification32154651k+Output is not escaped
#1738WP Bannerize Pro32281216800Text Domain Mismatch
#1739WP fail2ban – Advanced Security327515360k+Dynamic hook name
#1740wp-jalali322196610k+Text Domain Mismatch
#1741WP Popup32539651k+Text Domain Mismatch
#1742WP-Stats322371262k+Output is not escaped
#1743WP Weixin3260152400Non-prefixed constant
#1744WPCasa – Real Estate for WordPress32854291k+Non-prefixed global variable
#1745Privacy Policy Generator – WPLP Legal Pages322640910k+Non-prefixed global variable
#1746WT GeoTargeting3289431k+Output is not escaped
#1747YITH Infinite Scrolling323871,41710k+Non-prefixed global variable
#1748YITH WooCommerce Badge Management324131,44610k+Non-prefixed global variable
#1749YITH WooCommerce Compare324221,508100k+Non-prefixed global variable
#1750YITH WooCommerce Quick View323881,42090k+Non-prefixed global variable