missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1951 | SSL Mixed Content Fix | 34 | 53 | 65 | 8k+ | Output is not escaped | ||
| #1952 | 우커머스 포트원 플러그인 (국내 모든 PG를 한 번에) | 34 | 36 | 181 | 600 | Nonce verification recommended | ||
| #1953 | Image Cleanup | 34 | 52 | 94 | 1k+ | Nonce verification recommended | ||
| #1954 | HTML Import 2 | 34 | 273 | 26 | 5k+ | Unsafe printing function | ||
| #1955 | Import XML and RSS Feeds | 34 | 260 | 85 | 2k+ | Unsafe printing function | ||
| #1956 | Inavii Social Feed – Live Social Proof Gallery | 34 | 532 | 180 | 9k+ | Text Domain Mismatch | ||
| #1957 | IP2Location Country Blocker | 34 | 295 | 88 | 30k+ | Output is not escaped | ||
| #1958 | JS Archive List | 34 | 99 | 31 | 3k+ | Output is not escaped | ||
| #1959 | Kadence WooCommerce Email Designer | 34 | 119 | 230 | 100k+ | Non-prefixed global variable | ||
| #1960 | Lenix Leads Collector | 34 | 414 | 242 | 10k+ | Text Domain Mismatch | ||
| #1961 | Login with Vipps and MobilePay | 34 | 263 | 174 | 900 | Output is not escaped | ||
| #1962 | Mailmunch Forms for Mailchimp | 34 | 120 | 53 | 10k+ | Output is not escaped | ||
| #1963 | MantraBrain Starter Sites | MantraBrain Theme Demo Importer | 34 | 117 | 61 | 1k+ | Output is not escaped | ||
| #1964 | Mass Ping Tool for SEO – WordPress ping list to get indexed faster on Google, Yandex, … | 34 | 77 | 96 | 400 | Output is not escaped | ||
| #1965 | Media Vault | 34 | 115 | 150 | 800 | Output is not escaped | ||
| #1966 | Melhor Envio | 34 | 24 | 276 | 10k+ | Nonce verification recommended | ||
| #1967 | Meow Analytics (Google Analytics) | 34 | 80 | 54 | 400 | Output is not escaped | ||
| #1968 | Meow Lightbox | 34 | 77 | 52 | 10k+ | Non Singular String Literal Domain | ||
| #1969 | Meta Tag Manager | 34 | 142 | 321 | 80k+ | Nonce verification recommended | ||
| #1970 | OTP Login & Register Woocommerce | 34 | 148 | 202 | 1k+ | Missing nonce verification | ||
| #1971 | Montonio for WooCommerce | 34 | 44 | 258 | 10k+ | Non-prefixed global variable | ||
| #1972 | mowomo Social Share | 34 | 202 | 156 | 1k+ | Output is not escaped | ||
| #1973 | MPL-Publisher — Ebook & Audiobook Creator | 34 | 489 | 76 | 800 | Text Domain Mismatch | ||
| #1974 | Multi Step Form | 34 | 277 | 139 | 9k+ | Output is not escaped | ||
| #1975 | My Tickets – Accessible Event Ticketing | 34 | 314 | 566 | 700 | Nonce verification recommended | ||
| #1976 | One User Avatar | User Profile Picture | 34 | 68 | 190 | 100k+ | Non-prefixed global variable | ||
| #1977 | Openpay SPEI Plugin | 34 | 112 | 14 | 1k+ | Exception output is not escaped | ||
| #1978 | Child Theme Creator by Orbisius | 34 | 86 | 39 | 10k+ | Output is not escaped | ||
| #1979 | Team Members Profile – Employee Directory & Staff Showcase | 34 | 339 | 90 | 600 | Output is not escaped | ||
| #1980 | OwnerRez | 34 | 79 | 56 | 700 | Unsafe printing function | ||
| #1981 | MW Font Changer | 34 | 463 | 75 | 7k+ | Text Domain Mismatch | ||
| #1982 | PDF Invoices and Packing Slips For WooCommerce | 34 | 108 | 284 | 1k+ | Non-prefixed global variable | ||
| #1983 | PhonePe Payment Solutions | 34 | 77 | 106 | 10k+ | Missing direct file access protection | ||
| #1984 | Progress Bar & Skill Bar | 34 | 175 | 179 | 1k+ | Non Singular String Literal Domain | ||
| #1985 | PushEngage – Web Push Notifications, WooCommerce Automation & Chat Widget | 34 | 46 | 298 | 9k+ | Missing nonce verification | ||
| #1986 | PW WooCommerce Gift Cards | 34 | 238 | 185 | 20k+ | Output is not escaped | ||
| #1987 | QuadLayers Telegram Button | 34 | 149 | 71 | 1k+ | Text Domain Mismatch | ||
| #1988 | RaraTheme Companion | 34 | 430 | 71 | 10k+ | Output is not escaped | ||
| #1989 | Responsive Menu – Create Mobile-Friendly Menu | 34 | 68 | 40 | 70k+ | Nonce verification recommended | ||
| #1990 | Event Timeline – Vertical Timeline | 34 | 26 | 684 | 1k+ | Non-prefixed global variable | ||
| #1991 | RTMForm Builder | 34 | 188 | 209 | 30k+ | Text Domain Mismatch | ||
| #1992 | Route ‑ Shipping Protection | 34 | 64 | 150 | 500 | Missing nonce verification | ||
| #1993 | Saphali Woocommerce Lite | 34 | 376 | 313 | 10k+ | Non-prefixed global variable | ||
| #1994 | Search Engine Insights for Google Search Console | 34 | 174 | 113 | 2k+ | Output is not escaped | ||
| #1995 | Search Meter | 34 | 191 | 94 | 20k+ | Output is not escaped | ||
| #1996 | Seriously Simple Stats | 34 | 99 | 126 | 5k+ | Output is not escaped | ||
| #1997 | Student Result or Employee Database | 34 | 89 | 98 | 1k+ | Direct Query | ||
| #1998 | Software License Manager | 34 | 69 | 289 | 900 | Nonce verification recommended | ||
| #1999 | Subscribe to Download Lite – Email Before Download Plugin | 34 | 106 | 157 | 400 | Non-prefixed global variable | ||
| #2000 | Swiftype Site Search Plugin for WordPress | 34 | 250 | 50 | 400 | Output is not escaped |