missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2451 | Wavy Divider | 35 | 10 | 1 | 700 | Hidden files included | ||
| #2452 | WC Cancel Order | 35 | 52 | 122 | 5k+ | Non-prefixed hook name | ||
| #2453 | Deliver via Shipos for WooCommerce | 35 | 11 | 78 | 600 | Nonce verification recommended | ||
| #2454 | ShipStation Live Rates for WooCommerce | 35 | 402 | 73 | 900 | Non Singular String Literal Domain | ||
| #2455 | Spreadconnect | 35 | 128 | 126 | 700 | Output is not escaped | ||
| #2456 | WC Ukraine Shipping – Integration of Nova Poshta and Ukrposhta for WooCommerce | 35 | 504 | 164 | 7k+ | Text Domain Mismatch | ||
| #2457 | Webflow Pages | 35 | 36 | 63 | 2k+ | Non Singular String Literal Domain | ||
| #2458 | Converter for Media – Optimize images | Convert WebP & AVIF | 35 | 131 | 53 | 500k+ | curl curl setopt | ||
| #2459 | WEDOS OnLine monitoring | 35 | 36 | 15 | 700 | Output is not escaped | ||
| #2460 | wePOS – Point Of Sale (POS) for WooCommerce & Dokan | 35 | 47 | 66 | 2k+ | Output is not escaped | ||
| #2461 | What The File | 35 | 9 | 12 | 40k+ | Input is not sanitized | ||
| #2462 | All-in-One Addons for Elementor – WidgetKit | 35 | 60 | 311 | 8k+ | Non-prefixed global variable | ||
| #2463 | Wild Apricot Login | 35 | 88 | 30 | 800 | Non Singular String Literal Domain | ||
| #2464 | Wired Impact Volunteer Management | 35 | 253 | 175 | 1k+ | Output is not escaped | ||
| #2465 | Open Graph and Twitter Card Tags | 35 | 15 | 27 | 50k+ | error log error log | ||
| #2466 | Asaas Gateway for WooCommerce | 35 | 12 | 109 | 8k+ | Non-prefixed global variable | ||
| #2467 | CardCom Payment Gateway | 35 | 201 | 84 | 3k+ | Text Domain Mismatch | ||
| #2468 | Sola Payment Gateway for WooCommerce | 35 | 107 | 116 | 700 | Missing Translators Comment | ||
| #2469 | Custom Payment Gateways for WooCommerce | 35 | 202 | 31 | 3k+ | Non Singular String Literal Domain | ||
| #2470 | Require Login for WooCommerce | 35 | 10 | 6 | 2k+ | wp function not compatible with requires wp | ||
| #2471 | Backend Payments for WooCommerce | 35 | 63 | 42 | 900 | Exception output is not escaped | ||
| #2472 | Save and Share Cart for WooCommerce | 35 | 125 | 51 | 600 | Text Domain Mismatch | ||
| #2473 | DPD Baltic Shipping | 35 | 91 | 202 | 2k+ | Text Domain Mismatch | ||
| #2474 | Title Limit for WooCommerce | 35 | 41 | 12 | 4k+ | Output is not escaped | ||
| #2475 | Abandoned Cart Lite for WooCommerce | 35 | 84 | 161 | 20k+ | Non-prefixed global variable | ||
| #2476 | Checkout Terms Conditions Popup for WooCommerce | 35 | 76 | 30 | 1k+ | Output is not escaped | ||
| #2477 | Conversion Tracking for WooCommerce | 35 | 74 | 61 | 20k+ | Output is not escaped | ||
| #2478 | Japanized for WooCommerce | 35 | 6 | 68 | 10k+ | Non-prefixed class | ||
| #2479 | Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing | 35 | 50 | 236 | 50k+ | Non-prefixed hook name | ||
| #2480 | Custom Payment Gateway for WooCommerce | 35 | 11 | 12 | 8k+ | Missing nonce verification | ||
| #2481 | Payment Gateway for PayPal Pro & PayPal Checkout for WooCommerce | 35 | 67 | 147 | 1k+ | Request data is not unslashed | ||
| #2482 | Brevo for WooCommerce | 35 | 116 | 67 | 30k+ | Output is not escaped | ||
| #2483 | Wholesale Suite – B2B, Dynamic Pricing & WooCommerce Wholesale Prices | 35 | 22 | 52 | 20k+ | Direct Query | ||
| #2484 | Kybernaut IČO DIČ | 35 | 79 | 68 | 2k+ | Missing nonce verification | ||
| #2485 | Easy Accept Payments via PayPal | 35 | 322 | 128 | 7k+ | Text Domain Mismatch | ||
| #2486 | Access Areas for WordPress | 35 | 17 | 95 | 400 | Direct Query | ||
| #2487 | WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel | 35 | 41 | 10 | 100k+ | wp function not compatible with requires wp | ||
| #2488 | WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets | 35 | 35 | 22 | 100k+ | Missing direct file access protection | ||
| #2489 | WP Associate Post R2 | 35 | 259 | 86 | 3k+ | Output is not escaped | ||
| #2490 | Bitly's WordPress Plugin | 35 | 6 | 23 | 2k+ | Non-prefixed function | ||
| #2491 | WP Cassify | 35 | 106 | 143 | 700 | Missing nonce verification | ||
| #2492 | Category Dropdown by GCS Design | 35 | 93 | 52 | 1k+ | Output is not escaped | ||
| #2493 | WP Content Copy Protection | 35 | 76 | 11 | 10k+ | Text Domain Mismatch | ||
| #2494 | Countdown Block | 35 | 5 | 2 | 1k+ | Hidden files included | ||
| #2495 | WP-Cron Status Checker | 35 | 240 | 111 | 5k+ | Text Domain Mismatch | ||
| #2496 | Custom Body Class | 35 | 39 | 101 | 10k+ | Non-prefixed global variable | ||
| #2497 | WP Datepicker | 35 | 225 | 181 | 7k+ | Output is not escaped | ||
| #2498 | WP Flexslider | 35 | 15 | 7 | 600 | Unsafe printing function | ||
| #2499 | WP Geo | 35 | 180 | 84 | 900 | Output is not escaped | ||
| #2500 | Auto Publish for Google My Business | 35 | 216 | 192 | 10k+ | Input is not validated |