missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2001 | Tab Ultimate | 34 | 107 | 138 | 1k+ | Output is not escaped | ||
| #2002 | TaxJar – Sales Tax Automation for WooCommerce | 34 | 236 | 170 | 5k+ | Text Domain Mismatch | ||
| #2003 | Testimonial Slider | 34 | 448 | 262 | 3k+ | Unsafe printing function | ||
| #2004 | Easy Mega Menu for WordPress – ThemeHunk | 34 | 480 | 256 | 1k+ | Text Domain Mismatch | ||
| #2005 | Throws SPAM Away | 34 | 327 | 123 | 10k+ | Missing Arg Domain | ||
| #2006 | Tidio – Live Chat & AI Chatbots | 34 | 52 | 19 | 80k+ | curl curl setopt | ||
| #2007 | Travel Agency Companion – Create Tour & Travel Website Using WP Travel Engine | 34 | 128 | 211 | 4k+ | Non-prefixed global variable | ||
| #2008 | Tools for Twitter | 34 | 135 | 87 | 1k+ | Output is not escaped | ||
| #2009 | Ultimate 410 Gone Status Code | 34 | 136 | 65 | 7k+ | Output is not escaped | ||
| #2010 | Ultra Companion – Companion plugin for WPoperation Themes | 34 | 73 | 116 | 1k+ | Missing direct file access protection | ||
| #2011 | Visual Form Builder | 34 | 82 | 329 | 20k+ | Direct Query | ||
| #2012 | Abandoned Cart Reports For WooCommerce | 34 | 133 | 163 | 1k+ | Output is not escaped | ||
| #2013 | DPD SK for WooCommerce | 34 | 130 | 165 | 700 | Output is not escaped | ||
| #2014 | Weaver Xtreme Theme Support | 34 | 1,625 | 43 | 9k+ | Text Domain Mismatch | ||
| #2015 | PagHiper Boleto e PIX para WooCommerce | 34 | 29 | 138 | 1k+ | Missing nonce verification | ||
| #2016 | Checkout Field Editor (Checkout Page Manager) for WooCommerce | 34 | 706 | 232 | 2k+ | Text Domain Mismatch | ||
| #2017 | MailerLite – WooCommerce integration | 34 | 65 | 36 | 30k+ | Output is not escaped | ||
| #2018 | Simple Discount Rules for Woocommerce | 34 | 175 | 214 | 4k+ | Nonce verification recommended | ||
| #2019 | Digital Signature Add-on for WooCommerce | 34 | 165 | 76 | 1k+ | Text Domain Mismatch | ||
| #2020 | Woopra Analytics Plugin | 34 | 114 | 53 | 900 | Output is not escaped | ||
| #2021 | WP Custom Admin Interface | 34 | 263 | 118 | 30k+ | Unsafe printing function | ||
| #2022 | Wp Default Sender Email by IT Pixelz | 34 | 682 | 25 | 500 | Output is not escaped | ||
| #2023 | WP Dummy Content Generator | 34 | 93 | 130 | 6k+ | Output is not escaped | ||
| #2024 | WP Dynamic Keywords Injector | 34 | 44 | 205 | 1k+ | Nonce verification recommended | ||
| #2025 | WP Forms Signature Contract Add-On | 34 | 128 | 35 | 900 | Text Domain Mismatch | ||
| #2026 | Email Template Designer – WP HTML Mail | 34 | 62 | 80 | 20k+ | badly named files | ||
| #2027 | WP LinkedIn Auto Publish | 34 | 165 | 56 | 8k+ | Output is not escaped | ||
| #2028 | WP Mail Logging | 34 | 76 | 258 | 300k+ | Nonce verification recommended | ||
| #2029 | WP Maintenance | 34 | 40 | 217 | 60k+ | Non-prefixed global variable | ||
| #2030 | LightStart – Maintenance Mode, Coming Soon and Landing Page Builder | 34 | 42 | 312 | 400k+ | Request data is not unslashed | ||
| #2031 | WP Notes Widget | 34 | 217 | 36 | 700 | Output is not escaped | ||
| #2032 | WP Popup Builder – Popup Forms and Marketing Lead Generation | 34 | 357 | 143 | 3k+ | Text Domain Mismatch | ||
| #2033 | WP Random Post Thumbnails | 34 | 420 | 26 | 1k+ | Text Domain Mismatch | ||
| #2034 | Thumbnail Slider With Lightbox | 34 | 244 | 141 | 700 | Output is not escaped | ||
| #2035 | Thumbnail carousel slider | 34 | 277 | 143 | 2k+ | Output is not escaped | ||
| #2036 | WP-SCSS | 34 | 269 | 13 | 40k+ | Exception output is not escaped | ||
| #2037 | WP SendFox | 34 | 296 | 118 | 1k+ | Text Domain Mismatch | ||
| #2038 | WP Subscription Forms – Subscription Form Plugin for WordPress | 34 | 131 | 220 | 400 | Non-prefixed global variable | ||
| #2039 | WP Ultimate Post Grid | 34 | 114 | 74 | 4k+ | Missing direct file access protection | ||
| #2040 | Vertical Image Slider | 34 | 264 | 138 | 1k+ | Output is not escaped | ||
| #2041 | Live Visitor Counter | 34 | 108 | 114 | 4k+ | Interpolated SQL is not prepared | ||
| #2042 | Wp Favs – Plugin Manager | 34 | 238 | 153 | 3k+ | Text Domain Mismatch | ||
| #2043 | WPLMS MyCred AddOn | 34 | 383 | 73 | 800 | Text Domain Mismatch | ||
| #2044 | Xml Sitemap Generator | 34 | 72 | 47 | 400 | SQL query is not prepared | ||
| #2045 | YourChannel: Everything you want in a YouTube plugin. | 34 | 262 | 115 | 10k+ | Text Domain Mismatch | ||
| #2046 | Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades | 34 | 571 | 195 | 100k+ | Output is not escaped | ||
| #2047 | Zero Spam for WordPress | 34 | 79 | 393 | 20k+ | Non-prefixed global variable | ||
| #2048 | zipMoney(Zip Co) Payments Plugin for WooCommerce | 34 | 147 | 70 | 2k+ | Text Domain Mismatch | ||
| #2049 | Abandoned Checkout Recovery & Order Notifications for WooCommerce | 35 | 108 | 77 | 800 | Text Domain Mismatch | ||
| #2050 | Absolute Addons For Elementor | 35 | 86 | 286 | 400 | Non-prefixed global variable |