missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2301OPcache Reset3597400Non-prefixed function
#2302Order Delivery Date for WooCommerce352,0757310k+wp function not compatible with requires wp
#2303OSM Map Widget for Elementor35183149k+Text Domain Mismatch
#2304OT Flatsome Vertical Menu351262610k+Text Domain Mismatch
#2305Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE3513141300k+Missing direct file access protection
#2306Page Optimize357041200k+Non Singular String Literal Domain
#2307Paytm Payment Gateway35921043k+Missing Arg Domain
#2308Paytrail for WooCommerce3528463k+Non-prefixed global variable
#2309Pearl – Header Builder3572835k+Non-prefixed global variable
#2310Perfecty Push Notifications352042134k+SQL query is not prepared
#2311Permissions Editor for Ninja Forms352961k+Output is not escaped
#2312Pie Calendar – Events Calendar Made Simple3583531k+Text Domain Mismatch
#2313Piwik PRO352233k+Output is not escaped
#2314Pixeline's Email Protector35775800Unsafe printing function
#2315Planyo online reservation system356490400Output is not escaped
#2316Plausible Analytics352446110k+Exception output is not escaped
#2317Accept Cryptocurrencies with Plisio3537471k+Text Domain Mismatch
#2318Pochipp352710220k+Non-prefixed global variable
#2319Poptin – Email Marketing Automation, Newsletter & Exit Pop Ups, Email Popups351682920k+Output is not escaped
#2320Popular Posts3516671900Unsafe printing function
#2321Popup with fancybox35196168900Unsafe printing function
#2322Post Content Shortcodes35205562k+Output is not escaped
#2323Post Draft Preview354969700Text Domain Mismatch
#2324Post List Featured Image35112100900Output is not escaped
#2325Post Meta Data Manager35301121k+Non-prefixed global variable
#2326Post Password Token3513238600Text Domain Mismatch
#2327Posts Table with Search & Sort35143333k+Text Domain Mismatch
#2328Powerful Posts Per Page (PPPP)35411k+Hidden files included
#2329Pre-Publish Checklist35721k+Missing direct file access protection
#2330Presto Player353778100k+Missing Arg Domain
#2331Product Blocks for WooCommerce35434k+slow db query tax query
#2332Product Delivery Date for WooCommerce – Lite35171271k+Text Domain Mismatch
#2333Product Input Fields for WooCommerce3518844k+Non-prefixed function
#2334Ninjalytics: Sales Reports & Order Export for WooCommerce and EDD356326k+Non-prefixed global variable
#2335Pronamic Client3511148700Output is not escaped
#2336Publitio354726400curl curl setopt
#2337Push Notifications by LaraPush3532765k+Non-prefixed global variable
#2338Push7354517700Short PHP open tag found
#2339QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly352251108k+Non Singular String Literal Domain
#2340Quran multilanguage Text & Audio35177166500Output is not escaped
#2341Random Post on Refresh3538500Non-prefixed hook name
#2342Flutterwave WooCommerce357202k+Non-prefixed class
#2343ReactPress – Create React App for WordPress3526433k+Request data is not unslashed
#2344Real Time Validation for Gravity Forms35185302k+Output is not escaped
#2345Really Simple Google Tag Manager (GTM)35115154k+Text Domain Mismatch
#2346Related Posts by Taxonomy351319710k+Output is not escaped
#2347Related Posts for WordPress3520718010k+Output is not escaped
#2348Remove Admin Toolbar35137600Missing direct file access protection
#2349ReOrder Posts within Categories35392077k+Non-prefixed global variable
#2350Repeaters & Relationships Connector with ACF for Elementor3563700Missing direct file access protection