missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2201 | Force Email Login | 35 | 5 | 0 | 800 | Hidden files included | ||
| #2202 | Force Regenerate Thumbnails | 35 | 12 | 17 | 200k+ | unlink unlink | ||
| #2203 | Force Reinstall | 35 | 118 | 34 | 2k+ | Output is not escaped | ||
| #2204 | Friendly Captcha for WordPress | 35 | 192 | 62 | 9k+ | Output is not escaped | ||
| #2205 | FrontBlocks for Gutenberg/GeneratePress | 35 | 10 | 7 | 500 | Offloaded Content | ||
| #2206 | Frontend Reset Password | 35 | 83 | 128 | 10k+ | Text Domain Mismatch | ||
| #2207 | g-FFL Cockpit | 35 | 18 | 224 | 500 | Direct Query | ||
| #2208 | Video Gallery – YouTube Gallery, Vimeo, Video Portfolio, Image Portfolio and Image Gallery | 35 | 50 | 199 | 10k+ | Non-prefixed global variable | ||
| #2209 | GD bbPress Attachments | 35 | 2 | 10 | 6k+ | wp redirect wp redirect | ||
| #2210 | GDPR Compliance & Cookie Consent | 35 | 251 | 61 | 4k+ | Output is not escaped | ||
| #2211 | Genesis Simple Sidebars | 35 | 9 | 51 | 10k+ | Nonce verification recommended | ||
| #2212 | GeoTargeting Lite – WordPress Geolocation | 35 | 66 | 79 | 1k+ | Output is not escaped | ||
| #2213 | Get a Newsletter | 35 | 138 | 144 | 400 | Output is not escaped | ||
| #2214 | Glossary | 35 | 169 | 93 | 2k+ | Non Singular String Literal Domain | ||
| #2215 | GNU Terry Pratchett | 35 | 2 | 1 | 1k+ | Hidden files included | ||
| #2216 | Google Analytics Opt-Out | 35 | 34 | 7 | 5k+ | Output is not escaped | ||
| #2217 | Reviews Block for Google | 35 | 244 | 35 | 1k+ | Missing Arg Domain | ||
| #2218 | Gravitec.net – Web Push Notifications | 35 | 47 | 52 | 1k+ | wp function not compatible with requires wp | ||
| #2219 | Gravity Forms: Multiple Form Instances | 35 | 6 | 6 | 700 | Hidden files included | ||
| #2220 | Gumlet – Image optimization with Resize, Compression, Lazy load, Caching & CDN delivery | 35 | 53 | 45 | 500 | parse url parse url | ||
| #2221 | Health Check & Troubleshooting | 35 | 264 | 238 | 300k+ | Missing Arg Domain | ||
| #2222 | Heartbeat Control | 35 | 27 | 18 | 80k+ | Missing Arg Domain | ||
| #2223 | Social Comments by Heateor | 35 | 285 | 35 | 700 | Unsafe printing function | ||
| #2224 | Help Scout | 35 | 11 | 13 | 400 | Missing direct file access protection | ||
| #2225 | HookMeUp for WooCommerce | 35 | 59 | 29 | 10k+ | Output is not escaped | ||
| #2226 | HT Form Widget for Elementor and WPForms | 35 | 8 | 9 | 2k+ | Output is not escaped | ||
| #2227 | HTTP Authentication | 35 | 23 | 6 | 600 | Output is not escaped | ||
| #2228 | Iframely – WP media embeds, cards and blocks | 35 | 136 | 43 | 2k+ | Unsafe printing function | ||
| #2229 | Image Slider | 35 | 192 | 95 | 4k+ | Output is not escaped | ||
| #2230 | Imsanity | 35 | 32 | 29 | 200k+ | Direct Query | ||
| #2231 | IndieWeb | 35 | 5 | 9 | 600 | Non-prefixed hook name | ||
| #2232 | Inspiro Starter Sites – 20+ Free Demo Templates for Gutenberg & Elementor | 35 | 6 | 200 | 10k+ | Non-prefixed global variable | ||
| #2233 | Social Feed Gallery | 35 | 104 | 52 | 80k+ | Text Domain Mismatch | ||
| #2234 | Instant CSS | 35 | 25 | 25 | 3k+ | Output is not escaped | ||
| #2235 | Instapage Plugin | 35 | 220 | 45 | 4k+ | Output is not escaped | ||
| #2236 | Integrate Umami | 35 | 10 | 0 | 2k+ | Hidden files included | ||
| #2237 | IntenseDebate Comments | 35 | 203 | 114 | 500 | Output is not escaped | ||
| #2238 | ICIT Weather Widget | 35 | 358 | 8 | 400 | Output is not escaped | ||
| #2239 | IP Based Login | 35 | 179 | 146 | 600 | Output is not escaped | ||
| #2240 | Issuu PDF Sync | 35 | 159 | 28 | 900 | Text Domain Mismatch | ||
| #2241 | Japanese font for WordPress(Previously: Japanese Font for TinyMCE) | 35 | 11 | 37 | 10k+ | Non-prefixed global variable | ||
| #2242 | Jarvis | 35 | 10 | 19 | 500 | Input is not validated | ||
| #2243 | Static Site Exporter | 35 | 54 | 25 | 500 | file system operations mkdir | ||
| #2244 | Jetpack VideoPress | 35 | 710 | 241 | 7k+ | Text Domain Mismatch | ||
| #2245 | JS Categories List Widget | 35 | 37 | 18 | 1k+ | Non Singular String Literal Domain | ||
| #2246 | JSON Feed (jsonfeed.org) | 35 | 9 | 29 | 1k+ | Non-prefixed global variable | ||
| #2247 | Kadence for WooCommerce and Elementor | 35 | 39 | 21 | 3k+ | Output is not escaped | ||
| #2248 | Kargo Takip | 35 | 84 | 142 | 3k+ | Missing nonce verification | ||
| #2249 | Kaya QR Code Generator | 35 | 193 | 40 | 20k+ | Non Singular String Literal Domain | ||
| #2250 | KBoard 위젯 – 워드프레스 게시판 | 35 | 53 | 32 | 3k+ | Output is not escaped |