missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2251 | Keyring | 35 | 233 | 203 | 1k+ | Output is not escaped | ||
| #2252 | Kiyoh customer review | 35 | 173 | 68 | 500 | Output is not escaped | ||
| #2253 | Kustom Checkout for WooCommerce | 35 | 101 | 505 | 10k+ | Dynamic hook name | ||
| #2254 | Flexible Invoices for WooCommerce – KSeF Add-on | 35 | 39 | 15 | 600 | Non-prefixed global variable | ||
| #2255 | Lead Call Buttons | 35 | 113 | 81 | 5k+ | Output is not escaped | ||
| #2256 | Lead Form Builder & Contact Form | 35 | 400 | 345 | 9k+ | Output is not escaped | ||
| #2257 | Topic Progression Using Storyline/Captivate for LearnDash | 35 | 382 | 25 | 400 | Text Domain Mismatch | ||
| #2258 | Lenix scss compiler | 35 | 133 | 34 | 800 | Exception output is not escaped | ||
| #2259 | Less PHP Compiler | 35 | 163 | 47 | 3k+ | Exception output is not escaped | ||
| #2260 | Web3Press – Migrating to 3ook.com Decentralized Bookstore | 35 | 7 | 49 | 400 | Non-prefixed constant | ||
| #2261 | LiteSpeed Cache | 35 | 286 | 893 | 7m+ | Non-prefixed global variable | ||
| #2262 | Log HTTP Requests | 35 | 7 | 18 | 2k+ | Interpolated SQL is not prepared | ||
| #2263 | Login-Logout | 35 | 104 | 8 | 3k+ | Output is not escaped | ||
| #2264 | Login Page Styler – Custom WordPress Login Page Customizer & Security | 35 | 125 | 168 | 2k+ | Missing Arg Domain | ||
| #2265 | Log in with Google | 35 | 5 | 17 | 6k+ | Non-prefixed global variable | ||
| #2266 | Magic Login – Passwordless Authentication for WordPress – Login Without Password | 35 | 23 | 53 | 3k+ | Missing nonce verification | ||
| #2267 | Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) | 35 | 266 | 127 | 5k+ | Output is not escaped | ||
| #2268 | Mail Queue | 35 | 25 | 103 | 1k+ | Nonce verification recommended | ||
| #2269 | Maintenance Switch | 35 | 12 | 59 | 600 | Non-prefixed function | ||
| #2270 | MainWP Child Reports | 35 | 49 | 116 | 100k+ | Non-prefixed hook name | ||
| #2271 | Marquee image crawler | 35 | 168 | 136 | 700 | Non-prefixed global variable | ||
| #2272 | MathML Block | 35 | 10 | 2 | 1k+ | Hidden files included | ||
| #2273 | Media Credit | 35 | 28 | 35 | 1k+ | Non-prefixed global variable | ||
| #2274 | Media Library Downloader | 35 | 21 | 16 | 4k+ | Output is not escaped | ||
| #2275 | MeetingHub – Webinar & Meeting Plugin for Zoom, Google Meet, Webex, Microsoft Teams, & Jitsi Meet | 35 | 37 | 313 | 400 | Non-prefixed global variable | ||
| #2276 | Menu Item Duplicator | 35 | 3 | 0 | 2k+ | Hidden files included | ||
| #2277 | Mini Ajax Cart for WooCommerce | 35 | 297 | 240 | 900 | Text Domain Mismatch | ||
| #2278 | Mini Cart for WooCommerce – Add a Stylish Sliding Cart | 35 | 42 | 160 | 600 | Non-prefixed global variable | ||
| #2279 | Modern Images WP | 35 | 10 | 3 | 400 | Missing Translators Comment | ||
| #2280 | MONEI Payments for WooCommerce | 35 | 15 | 65 | 500 | Non-prefixed hook name | ||
| #2281 | mosparo Integration | 35 | 114 | 301 | 900 | Missing nonce verification | ||
| #2282 | AI Product Search for WooCommerce – Motive Commerce Search | 35 | 70 | 82 | 400 | Missing direct file access protection | ||
| #2283 | MotoPress Hotel Booking Styles & Templates | 35 | 37 | 19 | 10k+ | block api version too low | ||
| #2284 | Hide from Search | 35 | 5 | 8 | 3k+ | Missing direct file access protection | ||
| #2285 | Image Refresh | 35 | 4 | 6 | 900 | Dynamic hook name | ||
| #2286 | Never Let Me Go | 35 | 34 | 47 | 400 | Non-prefixed global variable | ||
| #2287 | NewsPlugin | 35 | 84 | 53 | 400 | Text Domain Mismatch | ||
| #2288 | NGG Smart Image Search | 35 | 298 | 155 | 400 | Output is not escaped | ||
| #2289 | Nginx Cache Controller | 35 | 79 | 96 | 1k+ | Text Domain Mismatch | ||
| #2290 | Ni WooCommerce Sales Report | 35 | 236 | 256 | 500 | Text Domain Mismatch | ||
| #2291 | Nooz | 35 | 287 | 108 | 500 | Text Domain Mismatch | ||
| #2292 | NS Cloner – Site Cloner and Multisite Duplicator | 35 | 29 | 16 | 7k+ | Missing direct file access protection | ||
| #2293 | Fonts Plugin | Google Fonts, Adobe Fonts & Upload Fonts | 35 | 41 | 8 | 200k+ | Missing direct file access protection | ||
| #2294 | Newsletters, Email Marketing, SMS and Popups by Omnisend | 35 | 4 | 2 | 100k+ | Hidden files included | ||
| #2295 | Email Marketing for WooCommerce by Omnisend | 35 | 12 | 21 | 40k+ | Non-prefixed function | ||
| #2296 | One Page Express Companion | 35 | 132 | 65 | 10k+ | Output is not escaped | ||
| #2297 | ONet Regenerate Thumbnails | 35 | 190 | 64 | 1k+ | Text Domain Mismatch | ||
| #2298 | Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce | 35 | 117 | 144 | 2k+ | Output is not escaped | ||
| #2299 | Out of the Block: OpenStreetMap | 35 | 9 | 4 | 700 | Missing direct file access protection | ||
| #2300 | OPcache Manager | 35 | 155 | 75 | 1k+ | Output is not escaped |