missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2251Keyring352332031k+Output is not escaped
#2252Kiyoh customer review3517368500Output is not escaped
#2253Kustom Checkout for WooCommerce3510150510k+Dynamic hook name
#2254Flexible Invoices for WooCommerce – KSeF Add-on353915600Non-prefixed global variable
#2255Lead Call Buttons35113815k+Output is not escaped
#2256Lead Form Builder & Contact Form354003459k+Output is not escaped
#2257Topic Progression Using Storyline/Captivate for LearnDash3538225400Text Domain Mismatch
#2258Lenix scss compiler3513334800Exception output is not escaped
#2259Less PHP Compiler35163473k+Exception output is not escaped
#2260Web3Press – Migrating to 3ook.com Decentralized Bookstore35749400Non-prefixed constant
#2261LiteSpeed Cache352868937m+Non-prefixed global variable
#2262Log HTTP Requests357182k+Interpolated SQL is not prepared
#2263Login-Logout3510483k+Output is not escaped
#2264Login Page Styler – Custom WordPress Login Page Customizer & Security351251682k+Missing Arg Domain
#2265Log in with Google355176k+Non-prefixed global variable
#2266Magic Login – Passwordless Authentication for WordPress – Login Without Password3523533k+Missing nonce verification
#2267Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )352661275k+Output is not escaped
#2268Mail Queue35251031k+Nonce verification recommended
#2269Maintenance Switch351259600Non-prefixed function
#2270MainWP Child Reports3549116100k+Non-prefixed hook name
#2271Marquee image crawler35168136700Non-prefixed global variable
#2272MathML Block351021k+Hidden files included
#2273Media Credit3528351k+Non-prefixed global variable
#2274Media Library Downloader3521164k+Output is not escaped
#2275MeetingHub – Webinar & Meeting Plugin for Zoom, Google Meet, Webex, Microsoft Teams, & Jitsi Meet3537313400Non-prefixed global variable
#2276Menu Item Duplicator35302k+Hidden files included
#2277Mini Ajax Cart for WooCommerce35297240900Text Domain Mismatch
#2278Mini Cart for WooCommerce – Add a Stylish Sliding Cart3542160600Non-prefixed global variable
#2279Modern Images WP35103400Missing Translators Comment
#2280MONEI Payments for WooCommerce351565500Non-prefixed hook name
#2281mosparo Integration35114301900Missing nonce verification
#2282AI Product Search for WooCommerce – Motive Commerce Search357082400Missing direct file access protection
#2283MotoPress Hotel Booking Styles & Templates35371910k+block api version too low
#2284Hide from Search35583k+Missing direct file access protection
#2285Image Refresh3546900Dynamic hook name
#2286Never Let Me Go353447400Non-prefixed global variable
#2287NewsPlugin358453400Text Domain Mismatch
#2288NGG Smart Image Search35298155400Output is not escaped
#2289Nginx Cache Controller3579961k+Text Domain Mismatch
#2290Ni WooCommerce Sales Report35236256500Text Domain Mismatch
#2291Nooz35287108500Text Domain Mismatch
#2292NS Cloner – Site Cloner and Multisite Duplicator3529167k+Missing direct file access protection
#2293Fonts Plugin | Google Fonts, Adobe Fonts & Upload Fonts35418200k+Missing direct file access protection
#2294Newsletters, Email Marketing, SMS and Popups by Omnisend3542100k+Hidden files included
#2295Email Marketing for WooCommerce by Omnisend35122140k+Non-prefixed function
#2296One Page Express Companion351326510k+Output is not escaped
#2297ONet Regenerate Thumbnails35190641k+Text Domain Mismatch
#2298Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce351171442k+Output is not escaped
#2299Out of the Block: OpenStreetMap3594700Missing direct file access protection
#2300OPcache Manager35155751k+Output is not escaped