missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2451Wavy Divider35101700Hidden files included
#2452WC Cancel Order35521225k+Non-prefixed hook name
#2453Deliver via Shipos for WooCommerce351178600Nonce verification recommended
#2454ShipStation Live Rates for WooCommerce3540273900Non Singular String Literal Domain
#2455Spreadconnect35128126700Output is not escaped
#2456WC Ukraine Shipping – Integration of Nova Poshta and Ukrposhta for WooCommerce355041647k+Text Domain Mismatch
#2457Webflow Pages3536632k+Non Singular String Literal Domain
#2458Converter for Media – Optimize images | Convert WebP & AVIF3513153500k+curl curl setopt
#2459WEDOS OnLine monitoring353615700Output is not escaped
#2460wePOS – Point Of Sale (POS) for WooCommerce & Dokan3547662k+Output is not escaped
#2461What The File3591240k+Input is not sanitized
#2462All-in-One Addons for Elementor – WidgetKit35603118k+Non-prefixed global variable
#2463Wild Apricot Login358830800Non Singular String Literal Domain
#2464Wired Impact Volunteer Management352531751k+Output is not escaped
#2465Open Graph and Twitter Card Tags35152750k+error log error log
#2466Asaas Gateway for WooCommerce35121098k+Non-prefixed global variable
#2467CardCom Payment Gateway35201843k+Text Domain Mismatch
#2468Sola Payment Gateway for WooCommerce35107116700Missing Translators Comment
#2469Custom Payment Gateways for WooCommerce35202313k+Non Singular String Literal Domain
#2470Require Login for WooCommerce351062k+wp function not compatible with requires wp
#2471Backend Payments for WooCommerce356342900Exception output is not escaped
#2472Save and Share Cart for WooCommerce3512551600Text Domain Mismatch
#2473DPD Baltic Shipping35912022k+Text Domain Mismatch
#2474Title Limit for WooCommerce3541124k+Output is not escaped
#2475Abandoned Cart Lite for WooCommerce358416120k+Non-prefixed global variable
#2476Checkout Terms Conditions Popup for WooCommerce3576301k+Output is not escaped
#2477Conversion Tracking for WooCommerce35746120k+Output is not escaped
#2478Japanized for WooCommerce3566810k+Non-prefixed class
#2479Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing355023650k+Non-prefixed hook name
#2480Custom Payment Gateway for WooCommerce3511128k+Missing nonce verification
#2481Payment Gateway for PayPal Pro & PayPal Checkout for WooCommerce35671471k+Request data is not unslashed
#2482Brevo for WooCommerce351166730k+Output is not escaped
#2483Wholesale Suite – B2B, Dynamic Pricing & WooCommerce Wholesale Prices35225220k+Direct Query
#2484Kybernaut IČO DIČ3579682k+Missing nonce verification
#2485Easy Accept Payments via PayPal353221287k+Text Domain Mismatch
#2486Access Areas for WordPress351795400Direct Query
#2487WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel354110100k+wp function not compatible with requires wp
#2488WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets353522100k+Missing direct file access protection
#2489WP Associate Post R235259863k+Output is not escaped
#2490Bitly's WordPress Plugin356232k+Non-prefixed function
#2491WP Cassify35106143700Missing nonce verification
#2492Category Dropdown by GCS Design3593521k+Output is not escaped
#2493WP Content Copy Protection35761110k+Text Domain Mismatch
#2494Countdown Block35521k+Hidden files included
#2495WP-Cron Status Checker352401115k+Text Domain Mismatch
#2496Custom Body Class353910110k+Non-prefixed global variable
#2497WP Datepicker352251817k+Output is not escaped
#2498WP Flexslider35157600Unsafe printing function
#2499WP Geo3518084900Output is not escaped
#2500Auto Publish for Google My Business3521619210k+Input is not validated