missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2051 | ACF Color Swatches | 35 | 50 | 21 | 1k+ | Text Domain Mismatch | ||
| #2052 | ACF Content Analysis for Yoast SEO | 35 | 9 | 17 | 100k+ | Non-prefixed constant | ||
| #2053 | Advanced Custom Fields : CPT Options Pages | 35 | 37 | 11 | 2k+ | Output is not escaped | ||
| #2054 | ACF: Focal Point | 35 | 61 | 6 | 400 | Text Domain Mismatch | ||
| #2055 | ACF OpenStreetMap Field | 35 | 40 | 46 | 9k+ | Non-prefixed global variable | ||
| #2056 | Ad Widget for WordPress | 35 | 68 | 14 | 2k+ | Output is not escaped | ||
| #2057 | Admin Color Schemer | 35 | 166 | 20 | 1k+ | Exception output is not escaped | ||
| #2058 | AdPlugg WordPress Ad Plugin | 35 | 58 | 17 | 500 | Missing direct file access protection | ||
| #2059 | CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress | 35 | 20 | 10 | 100k+ | Missing Arg Domain | ||
| #2060 | Advanced Permalinks | 35 | 94 | 76 | 400 | wp function not compatible with requires wp | ||
| #2061 | Advanced Reporting for Woocommerce | 35 | 296 | 101 | 400 | Output is not escaped | ||
| #2062 | Affiliate Link Marker | 35 | 31 | 4 | 400 | Text Domain Mismatch | ||
| #2063 | AfterSalesPro Plugin | 35 | 24 | 111 | 400 | Nonce verification recommended | ||
| #2064 | Air WP Sync – Airtable to WordPress | 35 | 37 | 45 | 1k+ | Non-prefixed hook name | ||
| #2065 | AJAX Heartbeat Tool | 35 | 6 | 1 | 400 | Hidden files included | ||
| #2066 | Akismet Anti-spam: Spam Protection | 35 | 33 | 99 | 5m+ | Non-prefixed global variable | ||
| #2067 | AMIMOTO Plugin Dashboard | 35 | 82 | 82 | 900 | Non Singular String Literal Domain | ||
| #2068 | Amministrazione Trasparente | 35 | 80 | 46 | 1k+ | Output is not escaped | ||
| #2069 | Animate In View | 35 | 12 | 0 | 1k+ | Hidden files included | ||
| #2070 | AnsPress – Question and answer | 35 | 22 | 778 | 3k+ | Non-prefixed function | ||
| #2071 | AppMySite – WordPress & WooCommerce Mobile App Builder (No-Code Android & iOS App Maker) | 35 | 165 | 37 | 7k+ | Missing Arg Domain | ||
| #2072 | Aquila Admin Theme | 35 | 151 | 329 | 3k+ | Non-prefixed global variable | ||
| #2073 | Author Box WP Lens | 35 | 169 | 49 | 900 | Unsafe printing function | ||
| #2074 | Authors Widget | 35 | 170 | 19 | 1k+ | Output is not escaped | ||
| #2075 | Auto Login for Sakura Rental Server | 35 | 3 | 3 | 10k+ | Hidden files included | ||
| #2076 | Autocomplete For Relevanssi | 35 | 30 | 9 | 900 | Unsafe printing function | ||
| #2077 | Automatic Internal Links for SEO by Pagup | 35 | 30 | 166 | 1k+ | error log error log | ||
| #2078 | Avif Express | 35 | 26 | 167 | 400 | Input is not validated | ||
| #2079 | Awin – Advertiser Tracking for WooCommerce | 35 | 46 | 39 | 1k+ | Non Singular String Literal Domain | ||
| #2080 | AXP Cyrillic to Latin | 35 | 21 | 3 | 1k+ | Output is not escaped | ||
| #2081 | Basic Google Maps Placemarks | 35 | 189 | 80 | 3k+ | Output is not escaped | ||
| #2082 | bbPress Notify (No-Spam) | 35 | 62 | 66 | 2k+ | wp function not compatible with requires wp | ||
| #2083 | Before After Image Comparison Slider for WPBakery Page Builder | 35 | 58 | 59 | 1k+ | Output is not escaped | ||
| #2084 | belingoGeo | 35 | 136 | 133 | 1k+ | Output is not escaped | ||
| #2085 | Better Plugin Compatibility Control | 35 | 7 | 4 | 4k+ | trademarked term | ||
| #2086 | Bicycles by falbar | 35 | 426 | 65 | 600 | Output is not escaped | ||
| #2087 | Lord of the Files: Enhanced Upload Security | 35 | 62 | 42 | 1k+ | Non-prefixed global variable | ||
| #2088 | Block Comment Spam Bots | 35 | 31 | 17 | 800 | Output is not escaped | ||
| #2089 | CTC Masonry Gallery 🎨 | 35 | 6 | 3 | 1k+ | Hidden files included | ||
| #2090 | Gutenberg Block for WooCommerce Product Table | 35 | 14 | 4 | 3k+ | Hidden files included | ||
| #2091 | Block Manager | 35 | 33 | 26 | 4k+ | Text Domain Mismatch | ||
| #2092 | Gutenberg Block Editor Toolkit – EditorsKit | 35 | 61 | 25 | 20k+ | Text Domain Mismatch | ||
| #2093 | Blogsqode – Blog Layouts and News Post Design | 35 | 430 | 63 | 400 | Text Domain Mismatch | ||
| #2094 | BlossomThemes Toolkit | 35 | 347 | 52 | 30k+ | Output is not escaped | ||
| #2095 | Bluehost Site Migrator | 35 | 11 | 18 | 4k+ | Missing direct file access protection | ||
| #2096 | Tooltipy (tooltips for WP) | 35 | 370 | 125 | 1k+ | Text Domain Mismatch | ||
| #2097 | bookingflow Smoobu for WP | 35 | 107 | 12 | 400 | Text Domain Mismatch | ||
| #2098 | Bootstrap for Contact Form 7 | 35 | 35 | 73 | 10k+ | Nonce verification recommended | ||
| #2099 | BORICA Payments by BORICA AD | 35 | 537 | 196 | 500 | Text Domain Mismatch | ||
| #2100 | Wbcom Designs – BuddyPress Activity Social Share | 35 | 293 | 27 | 400 | Text Domain Mismatch |