missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2301 | OPcache Reset | 35 | 9 | 7 | 400 | Non-prefixed function | ||
| #2302 | Order Delivery Date for WooCommerce | 35 | 2,075 | 73 | 10k+ | wp function not compatible with requires wp | ||
| #2303 | OSM Map Widget for Elementor | 35 | 183 | 14 | 9k+ | Text Domain Mismatch | ||
| #2304 | OT Flatsome Vertical Menu | 35 | 126 | 26 | 10k+ | Text Domain Mismatch | ||
| #2305 | Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE | 35 | 131 | 41 | 300k+ | Missing direct file access protection | ||
| #2306 | Page Optimize | 35 | 70 | 41 | 200k+ | Non Singular String Literal Domain | ||
| #2307 | Paytm Payment Gateway | 35 | 92 | 104 | 3k+ | Missing Arg Domain | ||
| #2308 | Paytrail for WooCommerce | 35 | 28 | 46 | 3k+ | Non-prefixed global variable | ||
| #2309 | Pearl – Header Builder | 35 | 7 | 283 | 5k+ | Non-prefixed global variable | ||
| #2310 | Perfecty Push Notifications | 35 | 204 | 213 | 4k+ | SQL query is not prepared | ||
| #2311 | Permissions Editor for Ninja Forms | 35 | 29 | 6 | 1k+ | Output is not escaped | ||
| #2312 | Pie Calendar – Events Calendar Made Simple | 35 | 83 | 53 | 1k+ | Text Domain Mismatch | ||
| #2313 | Piwik PRO | 35 | 22 | 3 | 3k+ | Output is not escaped | ||
| #2314 | Pixeline's Email Protector | 35 | 77 | 5 | 800 | Unsafe printing function | ||
| #2315 | Planyo online reservation system | 35 | 64 | 90 | 400 | Output is not escaped | ||
| #2316 | Plausible Analytics | 35 | 244 | 61 | 10k+ | Exception output is not escaped | ||
| #2317 | Accept Cryptocurrencies with Plisio | 35 | 37 | 47 | 1k+ | Text Domain Mismatch | ||
| #2318 | Pochipp | 35 | 27 | 102 | 20k+ | Non-prefixed global variable | ||
| #2319 | Poptin – Email Marketing Automation, Newsletter & Exit Pop Ups, Email Popups | 35 | 168 | 29 | 20k+ | Output is not escaped | ||
| #2320 | Popular Posts | 35 | 166 | 71 | 900 | Unsafe printing function | ||
| #2321 | Popup with fancybox | 35 | 196 | 168 | 900 | Unsafe printing function | ||
| #2322 | Post Content Shortcodes | 35 | 205 | 56 | 2k+ | Output is not escaped | ||
| #2323 | Post Draft Preview | 35 | 49 | 69 | 700 | Text Domain Mismatch | ||
| #2324 | Post List Featured Image | 35 | 112 | 100 | 900 | Output is not escaped | ||
| #2325 | Post Meta Data Manager | 35 | 30 | 112 | 1k+ | Non-prefixed global variable | ||
| #2326 | Post Password Token | 35 | 132 | 38 | 600 | Text Domain Mismatch | ||
| #2327 | Posts Table with Search & Sort | 35 | 143 | 33 | 3k+ | Text Domain Mismatch | ||
| #2328 | Powerful Posts Per Page (PPPP) | 35 | 4 | 1 | 1k+ | Hidden files included | ||
| #2329 | Pre-Publish Checklist | 35 | 7 | 2 | 1k+ | Missing direct file access protection | ||
| #2330 | Presto Player | 35 | 37 | 78 | 100k+ | Missing Arg Domain | ||
| #2331 | Product Blocks for WooCommerce | 35 | 4 | 3 | 4k+ | slow db query tax query | ||
| #2332 | Product Delivery Date for WooCommerce – Lite | 35 | 171 | 27 | 1k+ | Text Domain Mismatch | ||
| #2333 | Product Input Fields for WooCommerce | 35 | 18 | 84 | 4k+ | Non-prefixed function | ||
| #2334 | Ninjalytics: Sales Reports & Order Export for WooCommerce and EDD | 35 | 6 | 32 | 6k+ | Non-prefixed global variable | ||
| #2335 | Pronamic Client | 35 | 111 | 48 | 700 | Output is not escaped | ||
| #2336 | Publitio | 35 | 47 | 26 | 400 | curl curl setopt | ||
| #2337 | Push Notifications by LaraPush | 35 | 32 | 76 | 5k+ | Non-prefixed global variable | ||
| #2338 | Push7 | 35 | 45 | 17 | 700 | Short PHP open tag found | ||
| #2339 | QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly | 35 | 225 | 110 | 8k+ | Non Singular String Literal Domain | ||
| #2340 | Quran multilanguage Text & Audio | 35 | 177 | 166 | 500 | Output is not escaped | ||
| #2341 | Random Post on Refresh | 35 | 3 | 8 | 500 | Non-prefixed hook name | ||
| #2342 | Flutterwave WooCommerce | 35 | 7 | 20 | 2k+ | Non-prefixed class | ||
| #2343 | ReactPress – Create React App for WordPress | 35 | 26 | 43 | 3k+ | Request data is not unslashed | ||
| #2344 | Real Time Validation for Gravity Forms | 35 | 185 | 30 | 2k+ | Output is not escaped | ||
| #2345 | Really Simple Google Tag Manager (GTM) | 35 | 115 | 15 | 4k+ | Text Domain Mismatch | ||
| #2346 | Related Posts by Taxonomy | 35 | 131 | 97 | 10k+ | Output is not escaped | ||
| #2347 | Related Posts for WordPress | 35 | 207 | 180 | 10k+ | Output is not escaped | ||
| #2348 | Remove Admin Toolbar | 35 | 13 | 7 | 600 | Missing direct file access protection | ||
| #2349 | ReOrder Posts within Categories | 35 | 39 | 207 | 7k+ | Non-prefixed global variable | ||
| #2350 | Repeaters & Relationships Connector with ACF for Elementor | 35 | 6 | 3 | 700 | Missing direct file access protection |