missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2501WP GPX Maps35271004k+Non-prefixed global variable
#2502WPGraphQL35108630k+Non-prefixed hook name
#2503WP Hydra3510181k+Input is not sanitized
#2504WP-KaTeX35148800Missing direct file access protection
#2505WP-LESS3516810k+Missing direct file access protection
#2506WP Login and Logout Redirect351666k+Text Domain Mismatch
#2507Mail logging – WP Mail Catcher3523215720k+Text Domain Mismatch
#2508WP Mailto Links – Protect Email Addresses3595698k+Output is not escaped
#2509WP-Markdown353139400Output is not escaped
#2510WP Menu Custom Fields35116600Hidden files included
#2511WP Instant Feeds3519126k+Output is not escaped
#2512WP Open Street Map35591113k+Input is not validated
#2513WP-PageNavi358495500k+Non Singular String Literal Domain
#2514WP-Paginate35375520k+Input is not validated
#2515Parse.ly3515441k+Non-prefixed hook name
#2516WP-Persian35144377k+Unsafe printing function
#2517WP PGP Encrypted Emails356339400Output is not escaped
#2518WP Post Series35109600Non-prefixed global variable
#2519WP-PostViews3513264100k+Unsafe printing function
#2520WP-Print35110528k+Unsafe printing function
#2521WP All Import – Property Import for WP Residence354132700Output is not escaped
#2522video carousel slider with lightbox353501361k+Output is not escaped
#2523WP Site Verification tool3534371k+Non-prefixed global variable
#2524WP Spam Question Filter3563302k+Output is not escaped
#2525Subresource Integrity (SRI) Manager352694900Request data is not unslashed
#2526WP System Information3523730700Text Domain Mismatch
#2527WP To Top3530291k+Non-prefixed global variable
#2528WP Updates Notifier3523430k+Missing Translators Comment
#2529WP-ViperGB3512768400Output is not escaped
#2530WP-Yomigana3517152k+Output is not escaped
#2531WPCore Plugin Manager35118389k+Text Domain Mismatch
#2532WPD Beaver Builder Additions3540635600Non Singular String Literal Domain
#2533WP Views Counter3581422k+Output is not escaped
#2534WPFront User Role Editor3533357830k+Output is not escaped
#2535WPGraphQL for ACF3561810k+Output is not escaped
#2536WPGraphQL IDE3538181k+Text Domain Mismatch
#2537WPPerformanceTester3594441k+Output is not escaped
#2538WPZOOM Addons for Elementor – Starter Templates & Widgets3516013020k+Output is not escaped
#2539WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress357410910k+Nonce verification recommended
#2540WPZOOM Portfolio Lite – Filterable Portfolio Plugin35429220k+Non-prefixed global variable
#2541Writesonic3514161k+Non-prefixed global variable
#2542xili-tidy-tags352241571k+Output is not escaped
#2543XServer Migrator35395310k+Interpolated SQL is not prepared
#2544TypeSquare Webfonts for エックスサーバー3518398100k+Missing Arg Domain
#2545XT Event Widget for Social Events35355800Non-prefixed global variable
#2546Yabe Webfont – Use Custom Fonts, Google Fonts or Adobe Fonts35481145k+Non-prefixed hook name
#2547Yes/No Chart351361392k+Unsafe printing function
#2548YML for Yandex Market351828810k+Non-prefixed global variable
#2549Year Make Model Search for WooCommerce351881621k+Output is not escaped
#2550Comment Experience by Progress Planner351358500Text Domain Mismatch