missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2101 | Custom Order Status Manager for WooCommerce | 35 | 630 | 67 | 30k+ | Text Domain Mismatch | ||
| #2102 | Registration Options for BuddyPress | 35 | 47 | 132 | 1k+ | Non-prefixed function | ||
| #2103 | Brightcove Video Connect | 35 | 580 | 235 | 600 | Text Domain Mismatch | ||
| #2104 | BSK Forms Blacklist | 35 | 831 | 550 | 1k+ | Output is not escaped | ||
| #2105 | BTCPay Server – Accept Bitcoin payments in WooCommerce | 35 | 48 | 86 | 1k+ | Missing nonce verification | ||
| #2106 | Bulk Download for Gravity Forms | 35 | 5 | 2 | 500 | Hidden files included | ||
| #2107 | Business Hours Indicator | 35 | 139 | 106 | 8k+ | Alternative PHP tag found | ||
| #2108 | C3 Cloudfront Cache Controller | 35 | 109 | 60 | 3k+ | Non Singular String Literal Domain | ||
| #2109 | Cache Enabler | 35 | 44 | 75 | 90k+ | Input is not sanitized | ||
| #2110 | UseStrict's Calendly Embedder | 35 | 4 | 1 | 2k+ | Hidden files included | ||
| #2111 | Divi Carousel Lite – Responsive Carousel & Slider Modules for Divi Builder | 35 | 381 | 7 | 6k+ | Text Domain Mismatch | ||
| #2112 | Central Connect | 35 | 7 | 21 | 400 | Nonce verification recommended | ||
| #2113 | CF7 Spreadsheets | 35 | 100 | 62 | 400 | Text Domain Mismatch | ||
| #2114 | CF7 Submissions – Securely Store Contact Form 7 Data and Attachments, Reply to the Sender and more | 35 | 16 | 119 | 2k+ | Non-prefixed global variable | ||
| #2115 | CF7 Views – Complete Entry Management for Contact Form 7 | 35 | 172 | 181 | 1k+ | Output is not escaped | ||
| #2116 | Change Last Modified Date | 35 | 7 | 1 | 3k+ | Missing direct file access protection | ||
| #2117 | Change Quantity on Checkout for WooCommerce | 35 | 270 | 32 | 4k+ | wp function not compatible with requires wp | ||
| #2118 | Change Username | 35 | 7 | 10 | 4k+ | Direct Query | ||
| #2119 | ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form | 35 | 31 | 188 | 1k+ | Non-prefixed global variable | ||
| #2120 | Payment Gateway Based Fees and Discounts for WooCommerce | 35 | 24 | 68 | 30k+ | Non-prefixed hook name | ||
| #2121 | Child Pages Shortcode | 35 | 5 | 6 | 5k+ | Non-prefixed hook name | ||
| #2122 | CHP Ads Block Detector | 35 | 108 | 35 | 900 | Output is not escaped | ||
| #2123 | CiviCRM Admin Utilities | 35 | 19 | 87 | 1k+ | Non-prefixed hook name | ||
| #2124 | CiviCRM Profile Sync | 35 | 31 | 140 | 600 | Non-prefixed global variable | ||
| #2125 | Cloudflare | 35 | 28 | 85 | 200k+ | Non-prefixed namespace | ||
| #2126 | Flexible SSL for CloudFlare | 35 | 9 | 6 | 100k+ | Output is not escaped | ||
| #2127 | CM E-Mail Blacklist – Simple email filtering for safer registration | 35 | 269 | 205 | 800 | Output is not escaped | ||
| #2128 | Code Prettify | 35 | 7 | 3 | 1k+ | wp function not compatible with requires wp | ||
| #2129 | Conditional Menus | 35 | 92 | 28 | 60k+ | Text Domain Mismatch | ||
| #2130 | Conditional Widgets | 35 | 67 | 33 | 7k+ | Output is not escaped | ||
| #2131 | Constant Contact Forms | 35 | 41 | 89 | 20k+ | Missing nonce verification | ||
| #2132 | Kit (formerly ConvertKit) for WooCommerce | 35 | 213 | 18 | 4k+ | Text Domain Mismatch | ||
| #2133 | EasyTest – Simplify A/B Testing | 35 | 9 | 76 | 10k+ | Non-prefixed global variable | ||
| #2134 | GDPR Cookie Consent Notice Box | 35 | 46 | 17 | 1k+ | Output is not escaped | ||
| #2135 | Cookie Information – Cookie Banner with Consent Mode v2 | 35 | 185 | 28 | 2k+ | Output is not escaped | ||
| #2136 | Cookies and Content Security Policy | 35 | 261 | 412 | 10k+ | Output is not escaped | ||
| #2137 | Core Framework | 35 | 70 | 62 | 10k+ | Text Domain Mismatch | ||
| #2138 | Coupon X – Discount Popups, Promo Codes Pop Ups for WooCommerce & Announcement Popups | 35 | 30 | 168 | 1k+ | Non-prefixed global variable | ||
| #2139 | Create Block Theme | 35 | 43 | 5 | 20k+ | unlink unlink | ||
| #2140 | CrowdSec | 35 | 130 | 119 | 2k+ | Output is not escaped | ||
| #2141 | Cryptex | E-Mail Address Protection | 35 | 62 | 10 | 900 | Output is not escaped | ||
| #2142 | CubeWP Framework | 35 | 114 | 71 | 4k+ | wp function not compatible with requires wp | ||
| #2143 | Cue by AudioTheme.com | 35 | 28 | 150 | 6k+ | Non-prefixed hook name | ||
| #2144 | Currency Converter | 35 | 104 | 4 | 400 | Output is not escaped | ||
| #2145 | Currency Switcher for WooCommerce | 35 | 166 | 61 | 800 | Text Domain Mismatch | ||
| #2146 | Custom 404 Pro | 35 | 50 | 27 | 7k+ | wp function not compatible with requires wp | ||
| #2147 | Custom CSS and JavaScript | 35 | 38 | 91 | 10k+ | Input is not sanitized | ||
| #2148 | Wbcom Designs – Custom Font Uploader | 35 | 340 | 123 | 3k+ | Text Domain Mismatch | ||
| #2149 | Custom JavaScript Editor | 35 | 8 | 23 | 400 | Missing Version | ||
| #2150 | Custom Post Type Maker | 35 | 240 | 86 | 6k+ | Unsafe printing function |