missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2151 | Custom Post Type Permalinks | 35 | 8 | 4 | 200k+ | Setting is missing a sanitization callback | ||
| #2152 | Customizer Backup & Reset | 35 | 8 | 10 | 7k+ | Output is not escaped | ||
| #2153 | Dadevarzan WordPress Common | 35 | 56 | 71 | 700 | Text Domain Mismatch | ||
| #2154 | DarkLooks – Dark Mode Switcher For WordPress | 35 | 195 | 21 | 900 | Text Domain Mismatch | ||
| #2155 | Deposits & Partial Payments for WooCommerce | 35 | 174 | 144 | 5k+ | Text Domain Mismatch | ||
| #2156 | DesignSetGo | 35 | 7 | 0 | 5k+ | Hidden files included | ||
| #2157 | Nexi Checkout | 35 | 45 | 308 | 3k+ | Dynamic hook name | ||
| #2158 | Dintero Checkout for WooCommerce Payment Methods | 35 | 58 | 48 | 600 | Text Domain Mismatch | ||
| #2159 | PiWeb Disable payment method / Partial payment for WooCommerce | 35 | 55 | 221 | 4k+ | Non-prefixed class | ||
| #2160 | Disable and Remove Google Fonts | GDPR & DSGVO friendly | 35 | 21 | 11 | 100k+ | Missing Translators Comment | ||
| #2161 | Disable XML-RPC-API | 35 | 444 | 52 | 100k+ | Text Domain Mismatch | ||
| #2162 | Disk Usage Sunburst | 35 | 30 | 34 | 9k+ | Output is not escaped | ||
| #2163 | Potent Donations for WooCommerce | 35 | 14 | 25 | 2k+ | Missing nonce verification | ||
| #2164 | DOOFINDER Search and Discovery for WP & WooCommerce | 35 | 151 | 120 | 2k+ | Text Domain Mismatch | ||
| #2165 | Dropshipping XML for WooCommerce | 35 | 9 | 27 | 800 | Non-prefixed global variable | ||
| #2166 | Duplica – Duplicate Posts, Pages, Custom Posts or Users | 35 | 14 | 31 | 2k+ | Non-prefixed global variable | ||
| #2167 | DynamicTags | 35 | 116 | 16 | 2k+ | Text Domain Mismatch | ||
| #2168 | Easy Dash for LearnDash | 35 | 623 | 88 | 700 | Text Domain Mismatch | ||
| #2169 | Easy Noindex And Nofollow | 35 | 55 | 18 | 400 | Output is not escaped | ||
| #2170 | Easy Social Icons | 35 | 182 | 158 | 20k+ | Output is not escaped | ||
| #2171 | Easy Watermark | 35 | 82 | 53 | 30k+ | Non-prefixed global variable | ||
| #2172 | Editorial Calendar | 35 | 127 | 160 | 20k+ | Output is not escaped | ||
| #2173 | Gutenberg Blocks Library & Toolkit – Editor Plus | 35 | 27 | 11 | 6k+ | Text Domain Mismatch | ||
| #2174 | Elementor Website Builder – more than just a page builder | 35 | 46 | 428 | 10m+ | Non-prefixed global variable | ||
| #2175 | Elements Hive for Breakdance | 35 | 76 | 25 | 1k+ | Output is not escaped | ||
| #2176 | Email Subscription Popup — Newsletter & GDPR Consent | 35 | 683 | 193 | 1k+ | Output is not escaped | ||
| #2177 | Email Validator for Contact Form 7 | 35 | 111 | 74 | 500 | SQL query is not prepared | ||
| #2178 | Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more | 35 | 102 | 92 | 400 | Non-prefixed global variable | ||
| #2179 | Enhanced Recent Posts | 35 | 78 | 24 | 400 | Output is not escaped | ||
| #2180 | Enlighter – Customizable Syntax Highlighter | 35 | 50 | 10 | 10k+ | Output is not escaped | ||
| #2181 | EnvíaloSimple: Email Marketing y Newsletters | 35 | 147 | 250 | 2k+ | Nonce verification recommended | ||
| #2182 | Equivalent Mobile Redirect | 35 | 29 | 17 | 2k+ | Text Domain Mismatch | ||
| #2183 | Connect WooCommerce to ActiveCampaign by EqualServing | 35 | 135 | 89 | 1k+ | Text Domain Mismatch | ||
| #2184 | EWWW Image Optimizer | 35 | 225 | 731 | 1m+ | Direct Query | ||
| #2185 | AI Popup Builder & Popup Maker by OptiMonk | 35 | 81 | 65 | 4k+ | Text Domain Mismatch | ||
| #2186 | Export Featured Images | 35 | 176 | 67 | 1k+ | Output is not escaped | ||
| #2187 | Extra Shortcodes | 35 | 35 | 3 | 1k+ | date date | ||
| #2188 | WP2Social Auto Publish | 35 | 643 | 215 | 9k+ | Unsafe printing function | ||
| #2189 | Pixel Cat – Conversion Pixel Manager | 35 | 253 | 215 | 40k+ | Output is not escaped | ||
| #2190 | Fancy Elements for Avada | 35 | 371 | 10 | 400 | Text Domain Mismatch | ||
| #2191 | Instant Indexing for Google | 35 | 13 | 62 | 200k+ | Non-prefixed global variable | ||
| #2192 | Reviews Widgets for Google, TripAdvisor, Yelp & Recommendations | 35 | 255 | 225 | 10k+ | Output is not escaped | ||
| #2193 | Windows Compatibility Fix | 35 | 13 | 6 | 1k+ | Plugin Directory Write | ||
| #2194 | Flat Preloader | 35 | 40 | 15 | 3k+ | Output is not escaped | ||
| #2195 | Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager | 35 | 64 | 64 | 80k+ | Non-prefixed global variable | ||
| #2196 | Flexible PDF Coupons – Gift Cards & Vouchers for WooCommerce | 35 | 8 | 20 | 2k+ | Non-prefixed global variable | ||
| #2197 | Flexible PDF Invoices for WooCommerce & WordPress | 35 | 15 | 55 | 6k+ | Non-prefixed global variable | ||
| #2198 | Flexible Subscriptions | 35 | 46 | 249 | 1k+ | Non-prefixed global variable | ||
| #2199 | Flying Analytics: Self-Host Google Analytics v4 with Speed Optimization | 35 | 17 | 13 | 4k+ | Missing direct file access protection | ||
| #2200 | Events Calendar by FooEvents | 35 | 57 | 59 | 4k+ | Non-prefixed global variable |