missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1951SSL Mixed Content Fix3453658k+Output is not escaped
#1952우커머스 포트원 플러그인 (국내 모든 PG를 한 번에)3436181600Nonce verification recommended
#1953Image Cleanup3452941k+Nonce verification recommended
#1954HTML Import 234273265k+Unsafe printing function
#1955Import XML and RSS Feeds34260852k+Unsafe printing function
#1956Inavii Social Feed – Live Social Proof Gallery345321809k+Text Domain Mismatch
#1957IP2Location Country Blocker342958830k+Output is not escaped
#1958JS Archive List3499313k+Output is not escaped
#1959Kadence WooCommerce Email Designer34119230100k+Non-prefixed global variable
#1960Lenix Leads Collector3441424210k+Text Domain Mismatch
#1961Login with Vipps and MobilePay34263174900Output is not escaped
#1962Mailmunch Forms for Mailchimp341205310k+Output is not escaped
#1963MantraBrain Starter Sites | MantraBrain Theme Demo Importer34117611k+Output is not escaped
#1964Mass Ping Tool for SEO – WordPress ping list to get indexed faster on Google, Yandex, …347796400Output is not escaped
#1965Media Vault34115150800Output is not escaped
#1966Melhor Envio342427610k+Nonce verification recommended
#1967Meow Analytics (Google Analytics)348054400Output is not escaped
#1968Meow Lightbox34775210k+Non Singular String Literal Domain
#1969Meta Tag Manager3414232180k+Nonce verification recommended
#1970OTP Login & Register Woocommerce341482021k+Missing nonce verification
#1971Montonio for WooCommerce344425810k+Non-prefixed global variable
#1972mowomo Social Share342021561k+Output is not escaped
#1973MPL-Publisher — Ebook & Audiobook Creator3448976800Text Domain Mismatch
#1974Multi Step Form342771399k+Output is not escaped
#1975My Tickets – Accessible Event Ticketing34314566700Nonce verification recommended
#1976One User Avatar | User Profile Picture3468190100k+Non-prefixed global variable
#1977Openpay SPEI Plugin34112141k+Exception output is not escaped
#1978Child Theme Creator by Orbisius34863910k+Output is not escaped
#1979Team Members Profile – Employee Directory & Staff Showcase3433990600Output is not escaped
#1980OwnerRez347956700Unsafe printing function
#1981MW Font Changer34463757k+Text Domain Mismatch
#1982PDF Invoices and Packing Slips For WooCommerce341082841k+Non-prefixed global variable
#1983PhonePe Payment Solutions347710610k+Missing direct file access protection
#1984Progress Bar & Skill Bar341751791k+Non Singular String Literal Domain
#1985PushEngage – Web Push Notifications, WooCommerce Automation & Chat Widget34462989k+Missing nonce verification
#1986PW WooCommerce Gift Cards3423818520k+Output is not escaped
#1987QuadLayers Telegram Button34149711k+Text Domain Mismatch
#1988RaraTheme Companion344307110k+Output is not escaped
#1989Responsive Menu – Create Mobile-Friendly Menu34684070k+Nonce verification recommended
#1990Event Timeline – Vertical Timeline34266841k+Non-prefixed global variable
#1991RTMForm Builder3418820930k+Text Domain Mismatch
#1992Route ‑ Shipping Protection3464150500Missing nonce verification
#1993Saphali Woocommerce Lite3437631310k+Non-prefixed global variable
#1994Search Engine Insights for Google Search Console341741132k+Output is not escaped
#1995Search Meter341919420k+Output is not escaped
#1996Seriously Simple Stats34991265k+Output is not escaped
#1997Student Result or Employee Database3489981k+Direct Query
#1998Software License Manager3469289900Nonce verification recommended
#1999Subscribe to Download Lite – Email Before Download Plugin34106157400Non-prefixed global variable
#2000Swiftype Site Search Plugin for WordPress3425050400Output is not escaped