missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2101Custom Order Status Manager for WooCommerce356306730k+Text Domain Mismatch
#2102Registration Options for BuddyPress35471321k+Non-prefixed function
#2103Brightcove Video Connect35580235600Text Domain Mismatch
#2104BSK Forms Blacklist358315501k+Output is not escaped
#2105BTCPay Server – Accept Bitcoin payments in WooCommerce3548861k+Missing nonce verification
#2106Bulk Download for Gravity Forms3552500Hidden files included
#2107Business Hours Indicator351391068k+Alternative PHP tag found
#2108C3 Cloudfront Cache Controller35109603k+Non Singular String Literal Domain
#2109Cache Enabler35447590k+Input is not sanitized
#2110UseStrict's Calendly Embedder35412k+Hidden files included
#2111Divi Carousel Lite – Responsive Carousel & Slider Modules for Divi Builder3538176k+Text Domain Mismatch
#2112Central Connect35721400Nonce verification recommended
#2113CF7 Spreadsheets3510062400Text Domain Mismatch
#2114CF7 Submissions – Securely Store Contact Form 7 Data and Attachments, Reply to the Sender and more35161192k+Non-prefixed global variable
#2115CF7 Views – Complete Entry Management for Contact Form 7351721811k+Output is not escaped
#2116Change Last Modified Date35713k+Missing direct file access protection
#2117Change Quantity on Checkout for WooCommerce35270324k+wp function not compatible with requires wp
#2118Change Username357104k+Direct Query
#2119ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form35311881k+Non-prefixed global variable
#2120Payment Gateway Based Fees and Discounts for WooCommerce35246830k+Non-prefixed hook name
#2121Child Pages Shortcode35565k+Non-prefixed hook name
#2122CHP Ads Block Detector3510835900Output is not escaped
#2123CiviCRM Admin Utilities3519871k+Non-prefixed hook name
#2124CiviCRM Profile Sync3531140600Non-prefixed global variable
#2125Cloudflare352885200k+Non-prefixed namespace
#2126Flexible SSL for CloudFlare3596100k+Output is not escaped
#2127CM E-Mail Blacklist – Simple email filtering for safer registration35269205800Output is not escaped
#2128Code Prettify35731k+wp function not compatible with requires wp
#2129Conditional Menus35922860k+Text Domain Mismatch
#2130Conditional Widgets3567337k+Output is not escaped
#2131Constant Contact Forms35418920k+Missing nonce verification
#2132Kit (formerly ConvertKit) for WooCommerce35213184k+Text Domain Mismatch
#2133EasyTest – Simplify A/B Testing3597610k+Non-prefixed global variable
#2134GDPR Cookie Consent Notice Box3546171k+Output is not escaped
#2135Cookie Information – Cookie Banner with Consent Mode v235185282k+Output is not escaped
#2136Cookies and Content Security Policy3526141210k+Output is not escaped
#2137Core Framework35706210k+Text Domain Mismatch
#2138Coupon X – Discount Popups, Promo Codes Pop Ups for WooCommerce & Announcement Popups35301681k+Non-prefixed global variable
#2139Create Block Theme3543520k+unlink unlink
#2140CrowdSec351301192k+Output is not escaped
#2141Cryptex | E-Mail Address Protection356210900Output is not escaped
#2142CubeWP Framework35114714k+wp function not compatible with requires wp
#2143Cue by AudioTheme.com35281506k+Non-prefixed hook name
#2144Currency Converter351044400Output is not escaped
#2145Currency Switcher for WooCommerce3516661800Text Domain Mismatch
#2146Custom 404 Pro3550277k+wp function not compatible with requires wp
#2147Custom CSS and JavaScript35389110k+Input is not sanitized
#2148Wbcom Designs – Custom Font Uploader353401233k+Text Domain Mismatch
#2149Custom JavaScript Editor35823400Missing Version
#2150Custom Post Type Maker35240866k+Unsafe printing function