missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1901Assistant – Every Day Productivity Apps34124974k+Exception output is not escaped
#1902Audit Trail349010710k+Unsafe printing function
#1903Auto Listings – Car Listings & Car Dealership Plugin for WordPress34803182k+Non-prefixed global variable
#1904Automatic YouTube Gallery – Embed Auto-Updating YouTube Video Galleries, Feeds, Playlists & Channels34862559k+Direct Query
#1905AyeCode Connect3417825310k+Nonce verification recommended
#1906Bayarcash WooCommerce34148138700Non Singular String Literal Domain
#1907Beeketing for WooCommerce – Marketing Automation to Boost Sales34113123500SQL query is not prepared
#1908Blog-in-Blog346493800Non-prefixed function
#1909BoldGrid Easy SEO – Simple and Effective SEO3414910440k+Text Domain Mismatch
#1910Buckets346876500Output is not escaped
#1911Cache Master3437127400Output is not escaped
#1912Campi Moduli Italiani3472363500Unquoted Complex Placeholder
#1913SMS Abandoned Cart Recovery ✦ CartBoss346772400SQL query is not prepared
#1914Checkout Field Editor for WooCommerce – Checkout Manager341226420k+Text Domain Mismatch
#1915Clean Testimonials3412787400Output is not escaped
#1916CM Search And Replace – Optimize content edits with a powerful search and replace tool342861112k+Output is not escaped
#1917Cornerstone3416117430k+Nonce verification recommended
#1918CSS JS Manager, Async JavaScript, Defer Render Blocking CSS34761061k+Input is not validated
#1919Custom Login Page by SeedProd34330125500Output is not escaped
#1920Custom Post Type Attachment3415349800wp function not compatible with requires wp
#1921Custom Sidebars – Dynamic Sidebar Classic Widget Area Manager3432307100k+Non-prefixed global variable
#1922Datafeedr API34307486k+Output is not escaped
#1923DD Last Viewed34193132500Output is not escaped
#1924Debug Log Manager Tool34441433k+Nonce verification recommended
#1925Document Library Lite34149854k+Text Domain Mismatch
#1926Dr. Flex3483511k+Output is not escaped
#1927Delisho – Recipe Widgets and Blocks34603551k+Input is not sanitized
#1928Easy Social Sharing34162401k+Non-prefixed global variable
#1929EasyIndex34741351k+Missing nonce verification
#1930Edit Flow341032274k+Non-prefixed hook name
#1931ECS – Ele Custom Skin for Elementor3499205100k+Text Domain Mismatch
#1932Enhanced Text Widget341015830k+Output is not escaped
#1933ePayco Plugin for WooCommerce341551363k+Text Domain Mismatch
#1934Event Calendar Newsletter3496167600Non-prefixed hook name
#1935Evento34583601k+Text Domain Mismatch
#1936Export Customers Data3410949500Text Domain Mismatch
#1937Profile Box Shortcode And Widget344881381k+Output is not escaped
#1938Featured Video Plus349910510k+Non-prefixed global variable
#1939Flash Toolkit3415824210k+Non-prefixed global variable
#1940Weight Based Shipping Table Rate for WooCommerce – Flexible Shipping34124156100k+Nonce verification recommended
#1941Floating Side Tab3494153600Non-prefixed global variable
#1942Forms: 3rd-Party Integration342341125k+Output is not escaped
#1943Geolocation IP Detection3422716720k+Output is not escaped
#1944Gitium3414957400Output is not escaped
#1945APG Google Video Sitemap Feed349645800Output is not escaped
#1946Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program34131352600Missing nonce verification
#1947Signature Add-On for Gravity Forms34161481k+Text Domain Mismatch
#1948Herzog Dupont for YOOtheme Pro344772334k+Output is not escaped
#1949Hitsteps Web Analytics34370313800Output is not escaped
#1950HollerBox — Fast & Effective Popups & Lead-Generation3478922k+Output is not escaped