missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1801 | Image Source Control Lite – Show Image Credits and Captions | 33 | 140 | 221 | 3k+ | Non-prefixed hook name | ||
| #1802 | Inactive User Deleter | 33 | 453 | 170 | 800 | Output is not escaped | ||
| #1803 | InPost Gallery | 33 | 105 | 245 | 700 | Non-prefixed global variable | ||
| #1804 | WPZOOM Social Feed Widget & Block | 33 | 310 | 278 | 60k+ | Unsafe printing function | ||
| #1805 | Intagrate Lite | 33 | 94 | 152 | 4k+ | date date | ||
| #1806 | IP2Location Redirection | 33 | 198 | 122 | 7k+ | Output is not escaped | ||
| #1807 | IssueM | 33 | 56 | 173 | 600 | Request data is not unslashed | ||
| #1808 | Janolaw AGB Hosting | 33 | 198 | 11 | 1k+ | Short PHP open tag found | ||
| #1809 | JetWidgets for Elementor and WooCommerce | 33 | 187 | 146 | 7k+ | Text Domain Mismatch | ||
| #1810 | jQuery Manager for WordPress | 33 | 86 | 24 | 7k+ | Output is not escaped | ||
| #1811 | Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid | 33 | 274 | 106 | 3k+ | Text Domain Mismatch | ||
| #1812 | LWSCache | 33 | 47 | 104 | 6k+ | Non-prefixed global variable | ||
| #1813 | Forms for Mailchimp by Optin Cat – Grow Your MailChimp List | 33 | 71 | 133 | 2k+ | Missing direct file access protection | ||
| #1814 | MailUp for WordPress – Email and Newsletter Subscription Form | 33 | 251 | 100 | 2k+ | Text Domain Mismatch | ||
| #1815 | MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics | 33 | 26 | 279 | 7k+ | Non-prefixed global variable | ||
| #1816 | MAS Companies For WP Job Manager | 33 | 62 | 308 | 1k+ | Non-prefixed hook name | ||
| #1817 | MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites | 33 | 2 | 503 | 800 | Non-prefixed function | ||
| #1818 | Membership For WooCommerce | 33 | 40 | 659 | 900 | Non-prefixed global variable | ||
| #1819 | Merge + Minify + Refresh | 33 | 78 | 26 | 4k+ | date date | ||
| #1820 | Mollie Payments for WooCommerce | 33 | 70 | 123 | 100k+ | Dynamic hook name | ||
| #1821 | More Types | 33 | 227 | 198 | 800 | Non-prefixed global variable | ||
| #1822 | Newebpay Payment | 33 | 146 | 115 | 600 | Text Domain Mismatch | ||
| #1823 | News Announcement Scroll | 33 | 237 | 259 | 2k+ | Non-prefixed global variable | ||
| #1824 | GDPR CCPA Compliance & Cookie Consent Banner | 33 | 622 | 87 | 1k+ | Non Singular String Literal Domain | ||
| #1825 | Nomad World Map | 33 | 424 | 191 | 700 | Text Domain Mismatch | ||
| #1826 | Notification Master – Real-Time WordPress Notifications With Email, SMS, Webhooks & More | 33 | 293 | 215 | 1k+ | Text Domain Mismatch | ||
| #1827 | Pastacode | 33 | 77 | 66 | 400 | Non-prefixed global variable | ||
| #1828 | Payflex Payment Gateway | 33 | 181 | 61 | 1k+ | Text Domain Mismatch | ||
| #1829 | Payoneer Checkout | 33 | 168 | 45 | 5k+ | Exception output is not escaped | ||
| #1830 | PeproDev WooCommerce Receipt Uploader | 33 | 325 | 49 | 1k+ | Non Singular String Literal Domain | ||
| #1831 | پینوا | Pinova | 33 | 171 | 75 | 500 | Output is not escaped | ||
| #1832 | Plugin Organizer | 33 | 325 | 257 | 10k+ | Output is not escaped | ||
| #1833 | Podcast Subscribe Buttons | 33 | 552 | 39 | 5k+ | Text Domain Mismatch | ||
| #1834 | FancyPost – Post Blocks, Grids & Sliders for Block Editor and Elementor | 33 | 356 | 271 | 500 | Output is not escaped | ||
| #1835 | Post Lists View Custom | 33 | 462 | 150 | 2k+ | Missing Arg Domain | ||
| #1836 | PublishPress Checklists: Pre-Publishing Approval Checklist – Validate Post Requirements | 33 | 140 | 182 | 3k+ | Missing Translators Comment | ||
| #1837 | QNAP NAS Backup | 33 | 374 | 70 | 2k+ | Non Singular String Literal Domain | ||
| #1838 | Quick Restaurant Reservations | 33 | 654 | 179 | 500 | Text Domain Mismatch | ||
| #1839 | Frisbii Pay | 33 | 91 | 292 | 1k+ | Non-prefixed global variable | ||
| #1840 | Rename wp-login.php to anything you want | 33 | 251 | 117 | 500 | Output is not escaped | ||
| #1841 | Review Slider for WooCommerce | 33 | 160 | 422 | 400 | Non-prefixed global variable | ||
| #1842 | RTMKit | 33 | 11 | 388 | 50k+ | Non-prefixed global variable | ||
| #1843 | RSS Feed Pro | 33 | 484 | 16 | 500 | Output is not escaped | ||
| #1844 | Live Sales Notification (Recent Sales Popups) | 33 | 114 | 120 | 400 | SQL query is not prepared | ||
| #1845 | Schema & Structured Data for WP & AMP | 33 | 63 | 246 | 100k+ | Non-prefixed global variable | ||
| #1846 | Service Box – Icon Box Showcase | 33 | 385 | 230 | 3k+ | Non Singular String Literal Domain | ||
| #1847 | Sessions | 33 | 196 | 103 | 900 | Output is not escaped | ||
| #1848 | ShopPress – Shop Builder for Elementor and WooCommerce | 33 | 11 | 879 | 500 | Non-prefixed global variable | ||
| #1849 | Slider Path for Elementor | 33 | 329 | 100 | 700 | Text Domain Mismatch | ||
| #1850 | SMTP2GO for WordPress – Email Made Easy | 33 | 186 | 111 | 30k+ | Output is not escaped |