missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2501 | WP GPX Maps | 35 | 27 | 100 | 4k+ | Non-prefixed global variable | ||
| #2502 | WPGraphQL | 35 | 10 | 86 | 30k+ | Non-prefixed hook name | ||
| #2503 | WP Hydra | 35 | 10 | 18 | 1k+ | Input is not sanitized | ||
| #2504 | WP-KaTeX | 35 | 14 | 8 | 800 | Missing direct file access protection | ||
| #2505 | WP-LESS | 35 | 16 | 8 | 10k+ | Missing direct file access protection | ||
| #2506 | WP Login and Logout Redirect | 35 | 16 | 6 | 6k+ | Text Domain Mismatch | ||
| #2507 | Mail logging – WP Mail Catcher | 35 | 232 | 157 | 20k+ | Text Domain Mismatch | ||
| #2508 | WP Mailto Links – Protect Email Addresses | 35 | 95 | 69 | 8k+ | Output is not escaped | ||
| #2509 | WP-Markdown | 35 | 31 | 39 | 400 | Output is not escaped | ||
| #2510 | WP Menu Custom Fields | 35 | 11 | 6 | 600 | Hidden files included | ||
| #2511 | WP Instant Feeds | 35 | 19 | 12 | 6k+ | Output is not escaped | ||
| #2512 | WP Open Street Map | 35 | 59 | 111 | 3k+ | Input is not validated | ||
| #2513 | WP-PageNavi | 35 | 84 | 95 | 500k+ | Non Singular String Literal Domain | ||
| #2514 | WP-Paginate | 35 | 37 | 55 | 20k+ | Input is not validated | ||
| #2515 | Parse.ly | 35 | 15 | 44 | 1k+ | Non-prefixed hook name | ||
| #2516 | WP-Persian | 35 | 144 | 37 | 7k+ | Unsafe printing function | ||
| #2517 | WP PGP Encrypted Emails | 35 | 63 | 39 | 400 | Output is not escaped | ||
| #2518 | WP Post Series | 35 | 10 | 9 | 600 | Non-prefixed global variable | ||
| #2519 | WP-PostViews | 35 | 132 | 64 | 100k+ | Unsafe printing function | ||
| #2520 | WP-Print | 35 | 110 | 52 | 8k+ | Unsafe printing function | ||
| #2521 | WP All Import – Property Import for WP Residence | 35 | 41 | 32 | 700 | Output is not escaped | ||
| #2522 | video carousel slider with lightbox | 35 | 350 | 136 | 1k+ | Output is not escaped | ||
| #2523 | WP Site Verification tool | 35 | 34 | 37 | 1k+ | Non-prefixed global variable | ||
| #2524 | WP Spam Question Filter | 35 | 63 | 30 | 2k+ | Output is not escaped | ||
| #2525 | Subresource Integrity (SRI) Manager | 35 | 26 | 94 | 900 | Request data is not unslashed | ||
| #2526 | WP System Information | 35 | 237 | 30 | 700 | Text Domain Mismatch | ||
| #2527 | WP To Top | 35 | 30 | 29 | 1k+ | Non-prefixed global variable | ||
| #2528 | WP Updates Notifier | 35 | 23 | 4 | 30k+ | Missing Translators Comment | ||
| #2529 | WP-ViperGB | 35 | 127 | 68 | 400 | Output is not escaped | ||
| #2530 | WP-Yomigana | 35 | 17 | 15 | 2k+ | Output is not escaped | ||
| #2531 | WPCore Plugin Manager | 35 | 118 | 38 | 9k+ | Text Domain Mismatch | ||
| #2532 | WPD Beaver Builder Additions | 35 | 406 | 35 | 600 | Non Singular String Literal Domain | ||
| #2533 | WP Views Counter | 35 | 81 | 42 | 2k+ | Output is not escaped | ||
| #2534 | WPFront User Role Editor | 35 | 333 | 578 | 30k+ | Output is not escaped | ||
| #2535 | WPGraphQL for ACF | 35 | 6 | 18 | 10k+ | Output is not escaped | ||
| #2536 | WPGraphQL IDE | 35 | 38 | 18 | 1k+ | Text Domain Mismatch | ||
| #2537 | WPPerformanceTester | 35 | 94 | 44 | 1k+ | Output is not escaped | ||
| #2538 | WPZOOM Addons for Elementor – Starter Templates & Widgets | 35 | 160 | 130 | 20k+ | Output is not escaped | ||
| #2539 | WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress | 35 | 74 | 109 | 10k+ | Nonce verification recommended | ||
| #2540 | WPZOOM Portfolio Lite – Filterable Portfolio Plugin | 35 | 42 | 92 | 20k+ | Non-prefixed global variable | ||
| #2541 | Writesonic | 35 | 14 | 16 | 1k+ | Non-prefixed global variable | ||
| #2542 | xili-tidy-tags | 35 | 224 | 157 | 1k+ | Output is not escaped | ||
| #2543 | XServer Migrator | 35 | 39 | 53 | 10k+ | Interpolated SQL is not prepared | ||
| #2544 | TypeSquare Webfonts for エックスサーバー | 35 | 183 | 98 | 100k+ | Missing Arg Domain | ||
| #2545 | XT Event Widget for Social Events | 35 | 3 | 55 | 800 | Non-prefixed global variable | ||
| #2546 | Yabe Webfont – Use Custom Fonts, Google Fonts or Adobe Fonts | 35 | 48 | 114 | 5k+ | Non-prefixed hook name | ||
| #2547 | Yes/No Chart | 35 | 136 | 139 | 2k+ | Unsafe printing function | ||
| #2548 | YML for Yandex Market | 35 | 18 | 288 | 10k+ | Non-prefixed global variable | ||
| #2549 | Year Make Model Search for WooCommerce | 35 | 188 | 162 | 1k+ | Output is not escaped | ||
| #2550 | Comment Experience by Progress Planner | 35 | 135 | 8 | 500 | Text Domain Mismatch |