missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2401 | Ray | 35 | 3 | 2 | 500 | Hidden files included | ||
| #2402 | Spectra Blocks – AI Website Builder for the Block Editor | 35 | 241 | 1,276 | 8k+ | Non-prefixed global variable | ||
| #2403 | Spots | 35 | 195 | 49 | 800 | Output is not escaped | ||
| #2404 | Spreadshop Plugin | 35 | 145 | 44 | 4k+ | wp function not compatible with requires wp | ||
| #2405 | Square Thumbnails | 35 | 43 | 317 | 800 | error log error log | ||
| #2406 | SrbTransLatin – Serbian Latinisation | 35 | 11 | 28 | 2k+ | Non-prefixed global variable | ||
| #2407 | SSL Insecure Content Fixer | 35 | 28 | 60 | 100k+ | Input is not sanitized | ||
| #2408 | Steady for WordPress | 35 | 6 | 13 | 600 | Non-prefixed global variable | ||
| #2409 | Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons | 35 | 33 | 293 | 10k+ | Non-prefixed global variable | ||
| #2410 | String locator | 35 | 52 | 319 | 100k+ | Non-prefixed global variable | ||
| #2411 | Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress | 35 | 106 | 145 | 500 | Non-prefixed global variable | ||
| #2412 | Super Cool Ad Inserter Plugin | 35 | 22 | 5 | 600 | Text Domain Mismatch | ||
| #2413 | SweepPress: Website Cleanup and Optimization | 35 | 71 | 176 | 500 | Non-prefixed global variable | ||
| #2414 | Table for Divi | 35 | 5 | 2 | 2k+ | Hidden files included | ||
| #2415 | TailPress – Tailwind for WordPress | 35 | 23 | 22 | 500 | Output is not escaped | ||
| #2416 | Tapfiliate | 35 | 35 | 49 | 400 | Nonce verification recommended | ||
| #2417 | TBThemes Theme Import | 35 | 84 | 48 | 400 | Text Domain Mismatch | ||
| #2418 | TC Custom JavaScript | 35 | 19 | 26 | 10k+ | Missing Version | ||
| #2419 | Teamleader CRM Forms | 35 | 150 | 30 | 500 | Non Singular String Literal Domain | ||
| #2420 | Starter Sites & Templates by Neve | 35 | 28 | 88 | 100k+ | Non-prefixed hook name | ||
| #2421 | Termageddon: Cookie Consent & Privacy Compliance | 35 | 27 | 13 | 7k+ | Exception output is not escaped | ||
| #2422 | Advance Product Search- Voice & Ajax Search for WooCommerce | 35 | 125 | 92 | 10k+ | Text Domain Mismatch | ||
| #2423 | The Social Links | 35 | 16 | 29 | 2k+ | Non-prefixed global variable | ||
| #2424 | Theme Blvd Layout Builder | 35 | 207 | 169 | 2k+ | Output is not escaped | ||
| #2425 | ThemeRain Core | 35 | 69 | 61 | 1k+ | Text Domain Mismatch | ||
| #2426 | Themify Audio Dock | 35 | 22 | 9 | 900 | Non-prefixed global variable | ||
| #2427 | Themify Icons | 35 | 33 | 12 | 3k+ | Output is not escaped | ||
| #2428 | Themify Shortcodes | 35 | 36 | 16 | 7k+ | Output is not escaped | ||
| #2429 | Thumbnail Editor | 35 | 187 | 68 | 600 | wp function not compatible with requires wp | ||
| #2430 | TikTok | 35 | 31 | 22 | 200k+ | Missing Arg Domain | ||
| #2431 | TinyMCE Templates | 35 | 41 | 27 | 20k+ | Text Domain Mismatch | ||
| #2432 | Transcoder | 35 | 42 | 111 | 400 | Non-prefixed function | ||
| #2433 | TS Webfonts for さくらのレンタルサーバ | 35 | 183 | 100 | 30k+ | Missing Arg Domain | ||
| #2434 | Two Factor Authentication | 35 | 108 | 139 | 20k+ | Output is not escaped | ||
| #2435 | uCalc | 35 | 78 | 8 | 600 | Text Domain Mismatch | ||
| #2436 | Ultimate Post List | 35 | 186 | 84 | 2k+ | Missing Arg Domain | ||
| #2437 | Unagi | 35 | 9 | 2 | 900 | Missing direct file access protection | ||
| #2438 | Under Construction | 35 | 3 | 0 | 600k+ | Hidden files included | ||
| #2439 | Use Google Libraries | 35 | 13 | 5 | 10k+ | Hidden files included | ||
| #2440 | User Photo | 35 | 112 | 68 | 3k+ | Output is not escaped | ||
| #2441 | Vendi Abandoned Plugin Check | 35 | 13 | 3 | 1k+ | trademarked term | ||
| #2442 | Embed videos and respect privacy | 35 | 6 | 11 | 2k+ | Non-prefixed global variable | ||
| #2443 | Video Grid | 35 | 253 | 106 | 1k+ | Output is not escaped | ||
| #2444 | Void Elementor Post Grid Addon for Elementor Page builder | 35 | 189 | 93 | 3k+ | Text Domain Mismatch | ||
| #2445 | Voyapp Chile – Lugares y Cotizador de Despachos | 35 | 225 | 84 | 400 | Output is not escaped | ||
| #2446 | W4 Post List | 35 | 50 | 138 | 3k+ | Non-prefixed global variable | ||
| #2447 | Walls.io: Social Media Feed | 35 | 10 | 7 | 1k+ | Hidden files included | ||
| #2448 | WATI Chat and Notification | 35 | 9 | 0 | 600 | Missing direct file access protection | ||
| #2449 | Wavy Divider | 35 | 10 | 1 | 700 | Hidden files included | ||
| #2450 | WC Cancel Order | 35 | 52 | 122 | 5k+ | Non-prefixed hook name |