missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2351Reseller Store3553341k+Output is not escaped
#2352Restrict Elementor Widgets, Columns and Sections351853500Non-prefixed function
#2353Reveal IDs35231340k+Output is not escaped
#2354ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema3514207k+error log error log
#2355RICG Responsive Images3529252k+wp function not compatible with requires wp
#2356RichText Extension35254900Output is not escaped
#2357Robots.txt rewrite3556191k+Output is not escaped
#2358RPS Image Gallery358816700Output is not escaped
#2359RS CSV Importer Media Add-On35414k+Hidden files included
#2360s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions352458k+Missing direct file access protection
#2361sCode (Easy Shortcodes)3515797400Text Domain Mismatch
#2362Scripts To Footer351327k+Text Domain Mismatch
#2363Scroll Styler355221900Output is not escaped
#2364Search Console35622k+Missing Arg Domain
#2365Internal Links Manager3518812110k+Output is not escaped
#2366SEO Data Transporter35752k+Missing direct file access protection
#2367SEO Slider35242171k+Text Domain Mismatch
#2368SEUR Oficial35252981k+Non-prefixed global variable
#2369Security Optimizer – The All-In-One Protection Plugin3540861m+Input is not sanitized
#2370FlexTable – Data Table Sync with Google Sheets3520784k+Direct Query
#2371Shipping Zones by Drawing for WooCommerce3527895600Text Domain Mismatch
#2372Shop Page WP3568232k+Unsafe printing function
#2373Shopkeeper Extender3514265k+Missing Version
#2374ShopMagic Abandoned Cart Recovery for WooCommerce3516232k+Non-prefixed global variable
#2375ShopMagic for Google Sheets3589400Non-prefixed global variable
#2376Product Feed for Google Shopping, Microsoft Advertising and 40+ Channels for WooCommerce Merchant3583762k+Output is not escaped
#2377SHOPVOTE356458400curl curl setopt
#2378Shortcake (Shortcode UI)3593910k+Request data is not unslashed
#2379Show/Hide Content at Set Time3517710k+date date
#2380Simple CAPTCHA with Cloudflare Turnstile3582148100k+Output is not escaped
#2381Simple Export Import for ACF Data3519641k+Request data is not unslashed
#2382Simple Header Footer HTML353053k+Output is not escaped
#2383Simple History – Track, Log, and Audit WordPress Changes3532122300k+Non-prefixed global variable
#2384Simple Image Sizes35537560k+Unsafe printing function
#2385Simple Map3510110k+Output is not escaped
#2386Simple Popup Block35141500Missing direct file access protection
#2387Simple Post Type Permalinks351619k+date date
#2388Simple Website Redirect35335k+Discouraged text-domain loading
#2389Simple Yearly Archive35102366k+Unsafe printing function
#2390Simple Analytics3525201k+Output is not escaped
#2391SimpleTOC – Table of Contents Block3510010k+Setting is missing a sanitization callback
#2392SiteGround Migrator351137480k+Missing Arg Domain
#2393Sitekit3512283k+Output is not escaped
#2394SMNTCS Custom Logo Link354813k+badly named files
#2395SiteOrigin CSS356184100k+Not In Footer
#2396WPZOOM Connect: Social Icons Widget, Share Buttons & Click to Chat35283190k+Input is not sanitized
#2397Quiz Maker, Poll Maker & Survey Maker by Opinion Stage3542326k+Output is not escaped
#2398Social Sharing Plugin – Social Warfare351714320k+Non-prefixed class
#2399Solid Performance – Your No-Code Caching, Performance, & Page Speed Solution3575614k+Exception output is not escaped
#2400Spacious Toolkit354894700Non-prefixed global variable