missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2551 | Year Make Model Search for WooCommerce | 35 | 188 | 162 | 1k+ | Output is not escaped | ||
| #2552 | Comment Experience by Progress Planner | 35 | 135 | 8 | 500 | Text Domain Mismatch | ||
| #2553 | Yotpo: Product & Photo Reviews for WooCommerce | 35 | 24 | 189 | 2k+ | Non-prefixed function | ||
| #2554 | Embeds for YouTube | 35 | 255 | 307 | 10k+ | Non-prefixed global variable | ||
| #2555 | 2C2P Redirect API for WooCommerce | 36 | 136 | 62 | 900 | wp function not compatible with requires wp | ||
| #2556 | 3B Meteo | 36 | 50 | 76 | 1k+ | Output is not escaped | ||
| #2557 | Product Labels For Woocommerce (Sale Badges) | 36 | 90 | 48 | 10k+ | Output is not escaped | ||
| #2558 | Admin Customizer | 36 | 143 | 64 | 1k+ | Output is not escaped | ||
| #2559 | Age Verification for your checkout page. Verify your customer's identity | 36 | 155 | 238 | 500 | Output is not escaped | ||
| #2560 | Awesome GDPR Compliant Cookie Consent and Notice | 36 | 653 | 201 | 500 | Text Domain Mismatch | ||
| #2561 | Bard Extra | 36 | 159 | 75 | 700 | Text Domain Mismatch | ||
| #2562 | Black Widgets For Elementor | 36 | 2,608 | 19 | 800 | Text Domain Mismatch | ||
| #2563 | Blaze Demo Importer | 36 | 101 | 94 | 8k+ | Output is not escaped | ||
| #2564 | BlockStrap Page Builder – Bootstrap Blocks | 36 | 81 | 89 | 2k+ | Missing direct file access protection | ||
| #2565 | Blog, Posts and Category Filter for Elementor | 36 | 159 | 55 | 1k+ | Text Domain Mismatch | ||
| #2566 | BP Disable Activation Reloaded | 36 | 147 | 28 | 800 | Output is not escaped | ||
| #2567 | BP Group Documents | 36 | 27 | 195 | 600 | Non-prefixed global variable | ||
| #2568 | BP Profile Search | 36 | 321 | 85 | 5k+ | Output is not escaped | ||
| #2569 | bpost shipping | 36 | 97 | 43 | 700 | Output is not escaped | ||
| #2570 | Breadcrumb NavXT | 36 | 102 | 111 | 800k+ | Non Singular String Literal Domain | ||
| #2571 | BuddyMeet | 36 | 114 | 32 | 700 | Unsafe printing function | ||
| #2572 | Bulgarisation for WooCommerce | 36 | 135 | 594 | 5k+ | Nonce verification recommended | ||
| #2573 | Bulk Post Update Date | 36 | 96 | 66 | 10k+ | Unsafe printing function | ||
| #2574 | Bus Ticket Booking with Seat Reservation | 36 | 145 | 192 | 800 | Non-prefixed global variable | ||
| #2575 | Better WordPress Recent Comments | 36 | 319 | 69 | 600 | Text Domain Mismatch | ||
| #2576 | Carousel Ultimate | 36 | 450 | 284 | 700 | Text Domain Mismatch | ||
| #2577 | Carousel Horizontal Posts Content Slider | 36 | 271 | 59 | 2k+ | Text Domain Mismatch | ||
| #2578 | Cashflows for WooCommerce | 36 | 119 | 36 | 600 | Text Domain Mismatch | ||
| #2579 | Contact Form 7 Gated Content | 36 | 122 | 36 | 800 | Short PHP open tag found | ||
| #2580 | Multi Step for Contact Form 7 | 36 | 61 | 106 | 10k+ | Missing nonce verification | ||
| #2581 | Contact Form 7 Polylang Module | 36 | 32 | 45 | 5k+ | Output is not escaped | ||
| #2582 | CloudPayments Gateway for WooCommerce | 36 | 205 | 70 | 500 | Text Domain Mismatch | ||
| #2583 | CLP – Custom Login Page by NiteoThemes | 36 | 240 | 49 | 700 | Output is not escaped | ||
| #2584 | CM Header and Footer – Add custom scripts and styles to your header and footer with ease | 36 | 230 | 198 | 1k+ | Output is not escaped | ||
| #2585 | CMB2 | 36 | 148 | 19 | 300k+ | Output is not escaped | ||
| #2586 | Code Snippets | 36 | 34 | 203 | 1m+ | Nonce verification recommended | ||
| #2587 | ColorMeShop WordPress Plugin | 36 | 392 | 37 | 600 | Exception output is not escaped | ||
| #2588 | Conditional Payments for WooCommerce | 36 | 292 | 184 | 10k+ | Text Domain Mismatch | ||
| #2589 | Conditional Shipping for WooCommerce | 36 | 93 | 196 | 10k+ | Non-prefixed global variable | ||
| #2590 | Continuous Image Carousel With Lightbox | 36 | 255 | 129 | 1k+ | Output is not escaped | ||
| #2591 | CP Blocks | 36 | 46 | 38 | 1k+ | wp function not compatible with requires wp | ||
| #2592 | CSH Login | 36 | 126 | 41 | 500 | Output is not escaped | ||
| #2593 | Custom Database Applications by Caspio | 36 | 32 | 63 | 400 | Input is not sanitized | ||
| #2594 | Custom PHP Settings | 36 | 153 | 76 | 10k+ | Output is not escaped | ||
| #2595 | Custom Category Post Order | 36 | 80 | 83 | 500 | Text Domain Mismatch | ||
| #2596 | Depicter — Popup & Slider Builder | 36 | 130 | 121 | 80k+ | Exception output is not escaped | ||
| #2597 | DeveloPress Sticky Footer Bar | 36 | 165 | 49 | 400 | Output is not escaped | ||
| #2598 | Different Menu in Different Pages – Conditional Menu | 36 | 167 | 113 | 4k+ | Text Domain Mismatch | ||
| #2599 | Doneren met Mollie | 36 | 420 | 351 | 4k+ | SQL query is not prepared | ||
| #2600 | Drag and Drop Multiple File Upload for Contact Form 7 | 36 | 82 | 36 | 60k+ | wp function not compatible with requires wp |