missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2851OSM – OpenStreetMap371306410k+Output is not escaped
#2852Page scroll to id3738120100k+Missing nonce verification
#2853GoHero Store Customizer for WooCommerce377553600Unsafe printing function
#2854Phoenix Media Rename3717510450k+Output is not escaped
#2855Plexx Elementor Extension3758214400Text Domain Mismatch
#2856PNG to JPG371301739k+Interpolated SQL is not prepared
#2857POEditor3778140500Output is not escaped
#2858Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales3759642k+SQL query is not prepared
#2859Post Terms Order – per Post based3770362k+Output is not escaped
#2860Product Image Hover Effects WOOC – WPSHARE2473716194800Output is not escaped
#2861Publish to Schedule37195434k+Text Domain Mismatch
#2862PublishPress Statuses – Custom Post Status and Workflow37231781k+Missing Arg Domain
#2863Quantities and Units for WooCommerce371331181k+Output is not escaped
#2864Quick Restaurant Menu37136401k+Text Domain Mismatch
#2865rapidmail: Newsletter & E-Mail Marketing for WooCommerce377947400Text Domain Mismatch
#2866Recent Posts Widget With Thumbnails3722246100k+Output is not escaped
#2867resmio button & widget379936400Text Domain Mismatch
#2868Reusable Content Blocks37349144k+Text Domain Mismatch
#2869Rich Table of Contents372625720k+Output is not escaped
#2870Robots & Sitemap3719928500Text Domain Mismatch
#2871RSS for Yandex Zen372401004k+Unsafe printing function
#2872RSS Image Feed37147162k+Output is not escaped
#2873Ryviu – Review Importer & Product Reviews3772951k+Output is not escaped
#2874SB RSS feed plus37172241k+Output is not escaped
#2875Scroll Back To Top371491210k+Output is not escaped
#2876Send PDF for Contact Form 737223089k+Non-prefixed global variable
#2877SendWP37474210k+Output is not escaped
#2878Sensei LMS Certificates37973624k+Non-prefixed global variable
#2879Sezzle Woocommerce Payment371081051k+Text Domain Mismatch
#2880Snippet Shortcodes373591334k+Non Singular String Literal Domain
#2881Shortcoder — Create Shortcodes for Anything372570100k+Non-prefixed global variable
#2882Weaver Show Sliders37177132900Text Domain Mismatch
#2883Simple Image XML Sitemap37119161k+Output is not escaped
#2884Skimlinks Affiliate Marketing Tool378419800wp function not compatible with requires wp
#2885Slider Pro37782601k+Non-prefixed global variable
#2886Smart Send Logistics379281400Output is not escaped
#2887Social Comments375932400Output is not escaped
#2888Spam Destroyer3763436k+rand rand
#2889StagTools37476531k+Text Domain Mismatch
#2890Website Pop-up Builder by BDOW! (formerly Sumo): Pop-ups + forms for email opt-ins and lead generation37423310k+Output is not escaped
#2891SuperCPT3717227600Output is not escaped
#2892Super Simple Site Offline37115596k+Text Domain Mismatch
#2893Swifty Bar, sticky bar by WPGens3711281400Output is not escaped
#2894TelSender – Сontact form 7, Events, Wpforms, ninja forms and woocommerce to telegram bot3748406k+Unsafe printing function
#2895Theme Builder For Elementor37477282k+Text Domain Mismatch
#2896Tracking Script Manager3782572k+Non Singular String Literal Domain
#2897Ultimate WordPress Auction Plugin376231461k+Text Domain Mismatch
#2898Landing Page Builder – Free Landing Page Templates37329111600Output is not escaped
#2899Ultimate Tag Cloud Widget37715164k+Output is not escaped
#2900User Meta Display377874500Output is not escaped