missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2051ACF Color Swatches3550211k+Text Domain Mismatch
#2052ACF Content Analysis for Yoast SEO35917100k+Non-prefixed constant
#2053Advanced Custom Fields : CPT Options Pages3537112k+Output is not escaped
#2054ACF: Focal Point35616400Text Domain Mismatch
#2055ACF OpenStreetMap Field3540469k+Non-prefixed global variable
#2056Ad Widget for WordPress3568142k+Output is not escaped
#2057Admin Color Schemer35166201k+Exception output is not escaped
#2058AdPlugg WordPress Ad Plugin355817500Missing direct file access protection
#2059CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress352010100k+Missing Arg Domain
#2060Advanced Permalinks359476400wp function not compatible with requires wp
#2061Advanced Reporting for Woocommerce35296101400Output is not escaped
#2062Affiliate Link Marker35314400Text Domain Mismatch
#2063AfterSalesPro Plugin3524111400Nonce verification recommended
#2064Air WP Sync – Airtable to WordPress3537451k+Non-prefixed hook name
#2065AJAX Heartbeat Tool3561400Hidden files included
#2066Akismet Anti-spam: Spam Protection3533995m+Non-prefixed global variable
#2067AMIMOTO Plugin Dashboard358282900Non Singular String Literal Domain
#2068Amministrazione Trasparente3580461k+Output is not escaped
#2069Animate In View351201k+Hidden files included
#2070AnsPress – Question and answer35227783k+Non-prefixed function
#2071AppMySite – WordPress & WooCommerce Mobile App Builder (No-Code Android & iOS App Maker)35165377k+Missing Arg Domain
#2072Aquila Admin Theme351513293k+Non-prefixed global variable
#2073Author Box WP Lens3516949900Unsafe printing function
#2074Authors Widget35170191k+Output is not escaped
#2075Auto Login for Sakura Rental Server353310k+Hidden files included
#2076Autocomplete For Relevanssi35309900Unsafe printing function
#2077Automatic Internal Links for SEO by Pagup35301661k+error log error log
#2078Avif Express3526167400Input is not validated
#2079Awin – Advertiser Tracking for WooCommerce3546391k+Non Singular String Literal Domain
#2080AXP Cyrillic to Latin352131k+Output is not escaped
#2081Basic Google Maps Placemarks35189803k+Output is not escaped
#2082bbPress Notify (No-Spam)3562662k+wp function not compatible with requires wp
#2083Before After Image Comparison Slider for WPBakery Page Builder3558591k+Output is not escaped
#2084belingoGeo351361331k+Output is not escaped
#2085Better Plugin Compatibility Control35744k+trademarked term
#2086Bicycles by falbar3542665600Output is not escaped
#2087Lord of the Files: Enhanced Upload Security3562421k+Non-prefixed global variable
#2088Block Comment Spam Bots353117800Output is not escaped
#2089CTC Masonry Gallery 🎨35631k+Hidden files included
#2090Gutenberg Block for WooCommerce Product Table351443k+Hidden files included
#2091Block Manager3533264k+Text Domain Mismatch
#2092Gutenberg Block Editor Toolkit – EditorsKit35612520k+Text Domain Mismatch
#2093Blogsqode – Blog Layouts and News Post Design3543063400Text Domain Mismatch
#2094BlossomThemes Toolkit353475230k+Output is not escaped
#2095Bluehost Site Migrator3511184k+Missing direct file access protection
#2096Tooltipy (tooltips for WP)353701251k+Text Domain Mismatch
#2097bookingflow Smoobu for WP3510712400Text Domain Mismatch
#2098Bootstrap for Contact Form 735357310k+Nonce verification recommended
#2099BORICA Payments by BORICA AD35537196500Text Domain Mismatch
#2100Wbcom Designs – BuddyPress Activity Social Share3529327400Text Domain Mismatch