missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2601 | Doneren met Mollie | 36 | 420 | 351 | 4k+ | SQL query is not prepared | ||
| #2602 | Drag and Drop Multiple File Upload for Contact Form 7 | 36 | 82 | 36 | 60k+ | wp function not compatible with requires wp | ||
| #2603 | Duplicate Post – duplicate pages, copy content, clone posts | 36 | 76 | 81 | 5k+ | wp function not compatible with requires wp | ||
| #2604 | Dynamic Copyright Year | 36 | 972 | 43 | 800 | Output is not escaped | ||
| #2605 | Dynamic Front-End Heartbeat Control | 36 | 217 | 111 | 1k+ | Text Domain Mismatch | ||
| #2606 | Dynamic Visibility for Elementor | 36 | 56 | 89 | 50k+ | Non-prefixed hook name | ||
| #2607 | Easy Support Videos – Embed videos in the admin | 36 | 160 | 95 | 500 | Output is not escaped | ||
| #2608 | Product Carousel Slider for Elementor | 36 | 148 | 63 | 1k+ | Text Domain Mismatch | ||
| #2609 | Email Before Download | 36 | 89 | 29 | 6k+ | Unsafe printing function | ||
| #2610 | Endora | 36 | 53 | 72 | 1k+ | Output is not escaped | ||
| #2611 | Enormail Sign Up Forms | 36 | 133 | 126 | 400 | Output is not escaped | ||
| #2612 | Envo's Templates & Widgets for Elementor and WooCommerce | 36 | 1,065 | 54 | 10k+ | Text Domain Mismatch | ||
| #2613 | Events Manager and WPML Compatibility | 36 | 101 | 177 | 1k+ | Direct Query | ||
| #2614 | Export Variable Products | 36 | 79 | 49 | 400 | Text Domain Mismatch | ||
| #2615 | Happy WooCommerce FAQs – Ultimate Product FAQ Plugin | 36 | 65 | 119 | 1k+ | Nonce verification recommended | ||
| #2616 | FreePay for WooCommerce | 36 | 114 | 102 | 400 | Output is not escaped | ||
| #2617 | Genesis Sandbox Featured Content Widget | 36 | 229 | 24 | 1k+ | Text Domain Mismatch | ||
| #2618 | GetPaid > Wallet | 36 | 149 | 174 | 700 | Text Domain Mismatch | ||
| #2619 | Google SEO Pressor for Rich snippets | 36 | 51 | 160 | 400 | Missing nonce verification | ||
| #2620 | Google Webfont Optimizer | 36 | 45 | 49 | 700 | Output is not escaped | ||
| #2621 | Gutena Kit – Gutenberg Blocks and Templates | 36 | 39 | 87 | 1k+ | Nonce verification recommended | ||
| #2622 | Header Footer Script Adder – Insert Code in Header, Body & Footer | 36 | 203 | 78 | 1k+ | Text Domain Mismatch | ||
| #2623 | Header Footer Code Manager | 36 | 81 | 180 | 600k+ | Non-prefixed global variable | ||
| #2624 | HTML Forms – Simple WordPress Forms Plugin | 36 | 231 | 166 | 10k+ | Output is not escaped | ||
| #2625 | HTML5 Maps | 36 | 194 | 160 | 5k+ | Output is not escaped | ||
| #2626 | HTTP Requests Manager | 36 | 98 | 90 | 1k+ | Output is not escaped | ||
| #2627 | Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS | 36 | 68 | 33 | 6k+ | Output is not escaped | ||
| #2628 | If-So Geolocation | 36 | 50 | 57 | 1k+ | Non-prefixed global variable | ||
| #2629 | Insert Headers and Footers Code – HT Script | 36 | 391 | 34 | 7k+ | Text Domain Mismatch | ||
| #2630 | Italy Cookie Choices (for EU Cookie Law & Cookie Notice) | 36 | 115 | 77 | 10k+ | Unsafe printing function | ||
| #2631 | Just TinyMCE Custom Styles | 36 | 112 | 28 | 1k+ | Missing Arg Domain | ||
| #2632 | Leartes TRY Exchange Rates | 36 | 250 | 27 | 500 | Text Domain Mismatch | ||
| #2633 | Legal Text Connector of the IT-Recht Kanzlei | 36 | 45 | 46 | 10k+ | Exception output is not escaped | ||
| #2634 | Libro de Reclamaciones y Quejas | 36 | 266 | 124 | 4k+ | Text Domain Mismatch | ||
| #2635 | Linkable Title Html and Php Widget | 36 | 108 | 31 | 600 | Output is not escaped | ||
| #2636 | Login as User | 36 | 101 | 64 | 30k+ | Output is not escaped | ||
| #2637 | LONG URL MAKER | 36 | 39 | 71 | 1k+ | Direct Query | ||
| #2638 | LocalWeb All In One | 36 | 34 | 297 | 5k+ | Non-prefixed global variable | ||
| #2639 | MailMunch – Grow your Email List | 36 | 102 | 49 | 6k+ | Output is not escaped | ||
| #2640 | Manage Notification E-mails | 36 | 129 | 98 | 100k+ | Non-prefixed function | ||
| #2641 | Materialis Companion | 36 | 129 | 67 | 6k+ | Unsafe printing function | ||
| #2642 | Media Deduper | 36 | 60 | 99 | 9k+ | Missing Arg Domain | ||
| #2643 | Microsoft Clarity | 36 | 48 | 163 | 200k+ | Nonce verification recommended | ||
| #2644 | Mobile Menu Builder for WordPress | 36 | 81 | 33 | 600 | Output is not escaped | ||
| #2645 | Motors VIN Decoder | 36 | 87 | 88 | 400 | Output is not escaped | ||
| #2646 | 코드엠샵 마이사이트 – MSHOP MY SITE | 36 | 58 | 55 | 800 | Output is not escaped | ||
| #2647 | Multiple Sidebars | 36 | 109 | 75 | 600 | Non Singular String Literal Domain | ||
| #2648 | WP Sticky Sidebar – Floating Sidebar On Scroll for Any Theme | 36 | 93 | 84 | 10k+ | Non-prefixed global variable | ||
| #2649 | News Ticker for Elementor | 36 | 76 | 57 | 2k+ | Text Domain Mismatch | ||
| #2650 | NextGEN Custom Fields | 36 | 215 | 131 | 1k+ | SQL query is not prepared |