missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2701Plugin Name: Traffic Counter Widget Plugin3671107600Output is not escaped
#2702Zoho ZeptoMail36321105k+Request data is not unslashed
#2703TrustMate.io – WooCommerce integration36251973k+Output is not escaped
#2704FOMO & Social Proof Notifications by TrustPulse – Best WordPress FOMO Plugin361043910k+Output is not escaped
#2705Ubigeo de Perú para Woocommerce y WordPress361912354k+Non-prefixed function
#2706Slider Ultimate3629480500Output is not escaped
#2707underConstruction36986040k+Unsafe printing function
#2708PDF Flipbook, WPBakery Addon – Unreal FlipBook36400921k+Non Singular String Literal Domain
#2709User Roles and Capabilities362271328k+Output is not escaped
#2710Virtual Classroom – Video Conferencing & Online Meeting with BigBlueButton3647138400Nonce verification recommended
#2711Wanderlust OCA para WooCommerce3615755500Text Domain Mismatch
#2712WC Builder – WooCommerce Page Builder for WPBakery36647501k+Text Domain Mismatch
#2713Payments via PayMongo for WooCommerce3639811k+Nonce verification recommended
#2714WC Pickup Store36245522k+Output is not escaped
#2715Quantity Plus Minus Button for WooCommerce36838410k+Output is not escaped
#2716Shipping with Venipak for WooCommerce36239611k+Text Domain Mismatch
#2717AWPLife Weather Effects36196984k+Non-prefixed global variable
#2718When Last Login365212350k+Non-prefixed global variable
#2719Widget Indicadores Económicos (Chile)365320500Output is not escaped
#2720Disable Payment Methods based on cart conditions for WooCommerce36158571k+Non Singular String Literal Domain
#2721Custom Add to Cart Button Label and Link for WooCommerce363711123k+Text Domain Mismatch
#2722Guaranteed Reviews Company (Société des Avis Garantis)363691971k+Output is not escaped
#2723Rabo Smart Pay for WooCommerce3614754600Text Domain Mismatch
#2724Extended Coupon Features for WooCommerce FREE362196310k+Text Domain Mismatch
#2725Eway Payments for Woo36525403k+Text Domain Mismatch
#2726Hide admin notices – Admin Notification Center36114678k+Output is not escaped
#2727WP Better Permalinks36110591k+Output is not escaped
#2728WP-Cleanup367929400Output is not escaped
#2729Export Themes36122902k+Non-prefixed constant
#2730WP Counter368643800Output is not escaped
#2731WP Custom Cursors | WordPress Cursor Plugin366913909k+Text Domain Mismatch
#2732WP-EMail36340951k+Unsafe printing function
#2733WP Header Images361741336k+Unsafe printing function
#2734WP Hotel Booking WooCommerce3693991k+Output is not escaped
#2735WP LaTeX3610312700Output is not escaped
#2736WP Mail36202201500Output is not escaped
#2737Payment Button for PayPal36155864k+Unsafe printing function
#2738WP Publication Archive3619764400Text Domain Mismatch
#2739WP Show Posts3610710270k+Output is not escaped
#2740WP Socializer – Simple & Easy Social Media Share Icons362145110k+Output is not escaped
#2741WP Stripe Checkout361981181k+Unsafe printing function
#2742WP Super Edit36351852k+Nonce verification recommended
#2743Yandex.Metrica36763060k+Output is not escaped
#2744WPAvatar3642545700Unsafe printing function
#2745WP fail2ban Blocklist3661633k+SQL query is not prepared
#2746WPLMS H5P361111061k+Text Domain Mismatch
#2747Wppao Sitemap36128219k+Output is not escaped
#2748wpShopGermany IT-RECHT KANZLEI363747500Input is not sanitized
#2749Database Snapshots – WPvivid36661081k+Direct Query
#2750YayExtra – WooCommerce Extra Product Options36114721k+Non-prefixed global variable