missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2351 | Reseller Store | 35 | 53 | 34 | 1k+ | Output is not escaped | ||
| #2352 | Restrict Elementor Widgets, Columns and Sections | 35 | 18 | 53 | 500 | Non-prefixed function | ||
| #2353 | Reveal IDs | 35 | 23 | 13 | 40k+ | Output is not escaped | ||
| #2354 | ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema | 35 | 14 | 20 | 7k+ | error log error log | ||
| #2355 | RICG Responsive Images | 35 | 29 | 25 | 2k+ | wp function not compatible with requires wp | ||
| #2356 | RichText Extension | 35 | 25 | 4 | 900 | Output is not escaped | ||
| #2357 | Robots.txt rewrite | 35 | 56 | 19 | 1k+ | Output is not escaped | ||
| #2358 | RPS Image Gallery | 35 | 88 | 16 | 700 | Output is not escaped | ||
| #2359 | RS CSV Importer Media Add-On | 35 | 4 | 1 | 4k+ | Hidden files included | ||
| #2360 | s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions | 35 | 24 | 5 | 8k+ | Missing direct file access protection | ||
| #2361 | sCode (Easy Shortcodes) | 35 | 157 | 97 | 400 | Text Domain Mismatch | ||
| #2362 | Scripts To Footer | 35 | 13 | 2 | 7k+ | Text Domain Mismatch | ||
| #2363 | Scroll Styler | 35 | 52 | 21 | 900 | Output is not escaped | ||
| #2364 | Search Console | 35 | 6 | 2 | 2k+ | Missing Arg Domain | ||
| #2365 | Internal Links Manager | 35 | 188 | 121 | 10k+ | Output is not escaped | ||
| #2366 | SEO Data Transporter | 35 | 7 | 5 | 2k+ | Missing direct file access protection | ||
| #2367 | SEO Slider | 35 | 242 | 17 | 1k+ | Text Domain Mismatch | ||
| #2368 | SEUR Oficial | 35 | 25 | 298 | 1k+ | Non-prefixed global variable | ||
| #2369 | Security Optimizer – The All-In-One Protection Plugin | 35 | 40 | 86 | 1m+ | Input is not sanitized | ||
| #2370 | FlexTable – Data Table Sync with Google Sheets | 35 | 20 | 78 | 4k+ | Direct Query | ||
| #2371 | Shipping Zones by Drawing for WooCommerce | 35 | 278 | 95 | 600 | Text Domain Mismatch | ||
| #2372 | Shop Page WP | 35 | 68 | 23 | 2k+ | Unsafe printing function | ||
| #2373 | Shopkeeper Extender | 35 | 14 | 26 | 5k+ | Missing Version | ||
| #2374 | ShopMagic Abandoned Cart Recovery for WooCommerce | 35 | 16 | 23 | 2k+ | Non-prefixed global variable | ||
| #2375 | ShopMagic for Google Sheets | 35 | 8 | 9 | 400 | Non-prefixed global variable | ||
| #2376 | Product Feed for Google Shopping, Microsoft Advertising and 40+ Channels for WooCommerce Merchant | 35 | 83 | 76 | 2k+ | Output is not escaped | ||
| #2377 | SHOPVOTE | 35 | 64 | 58 | 400 | curl curl setopt | ||
| #2378 | Shortcake (Shortcode UI) | 35 | 9 | 39 | 10k+ | Request data is not unslashed | ||
| #2379 | Show/Hide Content at Set Time | 35 | 17 | 7 | 10k+ | date date | ||
| #2380 | Simple CAPTCHA with Cloudflare Turnstile | 35 | 82 | 148 | 100k+ | Output is not escaped | ||
| #2381 | Simple Export Import for ACF Data | 35 | 19 | 64 | 1k+ | Request data is not unslashed | ||
| #2382 | Simple Header Footer HTML | 35 | 30 | 5 | 3k+ | Output is not escaped | ||
| #2383 | Simple History – Track, Log, and Audit WordPress Changes | 35 | 32 | 122 | 300k+ | Non-prefixed global variable | ||
| #2384 | Simple Image Sizes | 35 | 53 | 75 | 60k+ | Unsafe printing function | ||
| #2385 | Simple Map | 35 | 10 | 1 | 10k+ | Output is not escaped | ||
| #2386 | Simple Popup Block | 35 | 14 | 1 | 500 | Missing direct file access protection | ||
| #2387 | Simple Post Type Permalinks | 35 | 16 | 1 | 9k+ | date date | ||
| #2388 | Simple Website Redirect | 35 | 3 | 3 | 5k+ | Discouraged text-domain loading | ||
| #2389 | Simple Yearly Archive | 35 | 102 | 36 | 6k+ | Unsafe printing function | ||
| #2390 | Simple Analytics | 35 | 25 | 20 | 1k+ | Output is not escaped | ||
| #2391 | SimpleTOC – Table of Contents Block | 35 | 10 | 0 | 10k+ | Setting is missing a sanitization callback | ||
| #2392 | SiteGround Migrator | 35 | 113 | 74 | 80k+ | Missing Arg Domain | ||
| #2393 | Sitekit | 35 | 122 | 8 | 3k+ | Output is not escaped | ||
| #2394 | SMNTCS Custom Logo Link | 35 | 48 | 1 | 3k+ | badly named files | ||
| #2395 | SiteOrigin CSS | 35 | 61 | 84 | 100k+ | Not In Footer | ||
| #2396 | WPZOOM Connect: Social Icons Widget, Share Buttons & Click to Chat | 35 | 28 | 31 | 90k+ | Input is not sanitized | ||
| #2397 | Quiz Maker, Poll Maker & Survey Maker by Opinion Stage | 35 | 42 | 32 | 6k+ | Output is not escaped | ||
| #2398 | Social Sharing Plugin – Social Warfare | 35 | 17 | 143 | 20k+ | Non-prefixed class | ||
| #2399 | Solid Performance – Your No-Code Caching, Performance, & Page Speed Solution | 35 | 75 | 61 | 4k+ | Exception output is not escaped | ||
| #2400 | Spacious Toolkit | 35 | 48 | 94 | 700 | Non-prefixed global variable |