missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2551Year Make Model Search for WooCommerce351881621k+Output is not escaped
#2552Comment Experience by Progress Planner351358500Text Domain Mismatch
#2553Yotpo: Product & Photo Reviews for WooCommerce35241892k+Non-prefixed function
#2554Embeds for YouTube3525530710k+Non-prefixed global variable
#25552C2P Redirect API for WooCommerce3613662900wp function not compatible with requires wp
#25563B Meteo3650761k+Output is not escaped
#2557Product Labels For Woocommerce (Sale Badges)36904810k+Output is not escaped
#2558Admin Customizer36143641k+Output is not escaped
#2559Age Verification for your checkout page. Verify your customer's identity36155238500Output is not escaped
#2560Awesome GDPR Compliant Cookie Consent and Notice36653201500Text Domain Mismatch
#2561Bard Extra3615975700Text Domain Mismatch
#2562Black Widgets For Elementor362,60819800Text Domain Mismatch
#2563Blaze Demo Importer36101948k+Output is not escaped
#2564BlockStrap Page Builder – Bootstrap Blocks3681892k+Missing direct file access protection
#2565Blog, Posts and Category Filter for Elementor36159551k+Text Domain Mismatch
#2566BP Disable Activation Reloaded3614728800Output is not escaped
#2567BP Group Documents3627195600Non-prefixed global variable
#2568BP Profile Search36321855k+Output is not escaped
#2569bpost shipping369743700Output is not escaped
#2570Breadcrumb NavXT36102111800k+Non Singular String Literal Domain
#2571BuddyMeet3611432700Unsafe printing function
#2572Bulgarisation for WooCommerce361355945k+Nonce verification recommended
#2573Bulk Post Update Date36966610k+Unsafe printing function
#2574Bus Ticket Booking with Seat Reservation36145192800Non-prefixed global variable
#2575Better WordPress Recent Comments3631969600Text Domain Mismatch
#2576Carousel Ultimate36450284700Text Domain Mismatch
#2577Carousel Horizontal Posts Content Slider36271592k+Text Domain Mismatch
#2578Cashflows for WooCommerce3611936600Text Domain Mismatch
#2579Contact Form 7 Gated Content3612236800Short PHP open tag found
#2580Multi Step for Contact Form 7366110610k+Missing nonce verification
#2581Contact Form 7 Polylang Module3632455k+Output is not escaped
#2582CloudPayments Gateway for WooCommerce3620570500Text Domain Mismatch
#2583CLP – Custom Login Page by NiteoThemes3624049700Output is not escaped
#2584CM Header and Footer – Add custom scripts and styles to your header and footer with ease362301981k+Output is not escaped
#2585CMB23614819300k+Output is not escaped
#2586Code Snippets36342031m+Nonce verification recommended
#2587ColorMeShop WordPress Plugin3639237600Exception output is not escaped
#2588Conditional Payments for WooCommerce3629218410k+Text Domain Mismatch
#2589Conditional Shipping for WooCommerce369319610k+Non-prefixed global variable
#2590Continuous Image Carousel With Lightbox362551291k+Output is not escaped
#2591CP Blocks3646381k+wp function not compatible with requires wp
#2592CSH Login3612641500Output is not escaped
#2593Custom Database Applications by Caspio363263400Input is not sanitized
#2594Custom PHP Settings361537610k+Output is not escaped
#2595Custom Category Post Order368083500Text Domain Mismatch
#2596Depicter — Popup & Slider Builder3613012180k+Exception output is not escaped
#2597DeveloPress Sticky Footer Bar3616549400Output is not escaped
#2598Different Menu in Different Pages – Conditional Menu361671134k+Text Domain Mismatch
#2599Doneren met Mollie364203514k+SQL query is not prepared
#2600Drag and Drop Multiple File Upload for Contact Form 736823660k+wp function not compatible with requires wp