missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2151Custom Post Type Permalinks3584200k+Setting is missing a sanitization callback
#2152Customizer Backup & Reset358107k+Output is not escaped
#2153Dadevarzan WordPress Common355671700Text Domain Mismatch
#2154DarkLooks – Dark Mode Switcher For WordPress3519521900Text Domain Mismatch
#2155Deposits & Partial Payments for WooCommerce351741445k+Text Domain Mismatch
#2156DesignSetGo35705k+Hidden files included
#2157Nexi Checkout35453083k+Dynamic hook name
#2158Dintero Checkout for WooCommerce Payment Methods355848600Text Domain Mismatch
#2159PiWeb Disable payment method / Partial payment for WooCommerce35552214k+Non-prefixed class
#2160Disable and Remove Google Fonts | GDPR & DSGVO friendly352111100k+Missing Translators Comment
#2161Disable XML-RPC-API3544452100k+Text Domain Mismatch
#2162Disk Usage Sunburst3530349k+Output is not escaped
#2163Potent Donations for WooCommerce3514252k+Missing nonce verification
#2164DOOFINDER Search and Discovery for WP & WooCommerce351511202k+Text Domain Mismatch
#2165Dropshipping XML for WooCommerce35927800Non-prefixed global variable
#2166Duplica – Duplicate Posts, Pages, Custom Posts or Users3514312k+Non-prefixed global variable
#2167DynamicTags35116162k+Text Domain Mismatch
#2168Easy Dash for LearnDash3562388700Text Domain Mismatch
#2169Easy Noindex And Nofollow355518400Output is not escaped
#2170Easy Social Icons3518215820k+Output is not escaped
#2171Easy Watermark35825330k+Non-prefixed global variable
#2172Editorial Calendar3512716020k+Output is not escaped
#2173Gutenberg Blocks Library & Toolkit – Editor Plus3527116k+Text Domain Mismatch
#2174Elementor Website Builder – more than just a page builder354642810m+Non-prefixed global variable
#2175Elements Hive for Breakdance3576251k+Output is not escaped
#2176Email Subscription Popup — Newsletter & GDPR Consent356831931k+Output is not escaped
#2177Email Validator for Contact Form 73511174500SQL query is not prepared
#2178Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more3510292400Non-prefixed global variable
#2179Enhanced Recent Posts357824400Output is not escaped
#2180Enlighter – Customizable Syntax Highlighter35501010k+Output is not escaped
#2181EnvíaloSimple: Email Marketing y Newsletters351472502k+Nonce verification recommended
#2182Equivalent Mobile Redirect3529172k+Text Domain Mismatch
#2183Connect WooCommerce to ActiveCampaign by EqualServing35135891k+Text Domain Mismatch
#2184EWWW Image Optimizer352257311m+Direct Query
#2185AI Popup Builder & Popup Maker by OptiMonk3581654k+Text Domain Mismatch
#2186Export Featured Images35176671k+Output is not escaped
#2187Extra Shortcodes353531k+date date
#2188WP2Social Auto Publish356432159k+Unsafe printing function
#2189Pixel Cat – Conversion Pixel Manager3525321540k+Output is not escaped
#2190Fancy Elements for Avada3537110400Text Domain Mismatch
#2191Instant Indexing for Google351362200k+Non-prefixed global variable
#2192Reviews Widgets for Google, TripAdvisor, Yelp & Recommendations3525522510k+Output is not escaped
#2193Windows Compatibility Fix351361k+Plugin Directory Write
#2194Flat Preloader3540153k+Output is not escaped
#2195Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager35646480k+Non-prefixed global variable
#2196Flexible PDF Coupons – Gift Cards & Vouchers for WooCommerce358202k+Non-prefixed global variable
#2197Flexible PDF Invoices for WooCommerce & WordPress3515556k+Non-prefixed global variable
#2198Flexible Subscriptions35462491k+Non-prefixed global variable
#2199Flying Analytics: Self-Host Google Analytics v4 with Speed Optimization3517134k+Missing direct file access protection
#2200Events Calendar by FooEvents3557594k+Non-prefixed global variable