missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2751Custom Product Tabs for WooCommerce36878180k+Output is not escaped
#2752Zarinpal Gateway361515550k+Non Singular String Literal Domain
#2753Zeno – AI-Powered Chatbot36311131500Text Domain Mismatch
#2754360 Javascript Viewer37144221k+Output is not escaped
#2755Redirectioner372344101k+Output is not escaped
#2756ACF: TablePress37160451k+Text Domain Mismatch
#2757Adapta RGPD373497240k+Text Domain Mismatch
#2758Adaptive Images for WordPress3751753k+Output is not escaped
#2759Add From Server37522060k+Output is not escaped
#2760AddToAny Share Buttons37123164300k+Unsafe printing function
#2761Advanced Accordion Gutenberg Block – Create Beautiful FAQs, Content Accordions & Interactive Tabs37403610k+Missing direct file access protection
#2762Advanced Custom Fields: NextGEN Gallery Field add-on3713120400Output is not escaped
#2763PiWeb Advanced Flat rate / Conditional shipping for WooCommerce37841922k+wp function not compatible with requires wp
#2764Advanced Media Offloader3759935k+error log error log
#2765Agreeable374067800Unsafe printing function
#2766AJAX Hits Counter + Popular Posts Widget37247441k+Output is not escaped
#2767Analytics Spam Blocker377622800Unsafe printing function
#2768All-in-one Chat Button by anychat.one3711969900Text Domain Mismatch
#2769Anything Popup371641852k+Non-prefixed global variable
#2770Async JS and CSS37901700Text Domain Mismatch
#2771Login by Auth0373078210k+Text Domain Mismatch
#2772Avatar Privacy3782361k+Missing direct file access protection
#2773Random Posts and Pages Widget37322151k+Output is not escaped
#2774AZAN Plugin374430500Output is not escaped
#2775Custom Thank You Page Customize For WooCommerce by Binary Carpenter3745802k+error log error log
#2776Before After Image Comparison Slider for Elementor37904110k+Text Domain Mismatch
#2777Bellows Accordion Menu371602810k+Text Domain Mismatch
#2778Better Click To Share – Shareable Quote Boxes for X (Twitter)37170596k+Unsafe printing function
#2779Blimply3717243800Text Domain Mismatch
#2780Blog News Addons For Elementor (News, Magazine and Blog Addons)3723296400Non-prefixed global variable
#2781Customize WordPress Emails and Alerts – Better Notifications for WP37644730k+Missing Arg Domain
#2782Booster Extension37282897k+Non-prefixed global variable
#2783Britetechs Companion379666132k+Text Domain Mismatch
#2784BuddyPress Members Only37184801k+Text Domain Mismatch
#2785bunny.net – WordPress CDN Plugin3716515910k+Output is not escaped
#2786Contact Zalo Report SW374439900Missing Arg Domain
#2787Delivery Date Time & Pickup for WooCommerce37148216400Output is not escaped
#2788Call Now Button – The #1 Click to Call Button for WordPress371,2735200k+Exception output is not escaped
#2789Carousel Upsells and Related Product for Woocommerce37173351k+Output is not escaped
#2790Checkout for PayPal3713467600Unsafe printing function
#2791Clearpay Gateway for WooCommerce37185631k+Text Domain Mismatch
#2792ClickCease Click Fraud Protection37305810k+Non-prefixed class
#2793CodePeople Post Map for Google Maps37257313k+Unsafe printing function
#2794Coming Soon & Maintenance Mode by Colorlib371001366k+Non-prefixed global variable
#2795Lightweight Subscribe To Comments37105701k+Unsafe printing function
#2796Constant Contact Forms by MailMunch37147532k+wp function not compatible with requires wp
#2797CookieAdmin – Cookie Consent Banner374386400k+Nonce verification recommended
#2798CorvusPay WooCommerce Payment Gateway37291411k+Missing nonce verification
#2799Crafty Social Buttons37279271k+Non Singular String Literal Domain
#2800CryptAPI Payment Gateway for WooCommerce3718729400Text Domain Mismatch