missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2951 | Alphabetic Pagination | 38 | 144 | 117 | 500 | Unsafe printing function | ||
| #2952 | Announcement Bar | 38 | 192 | 61 | 3k+ | Non Singular String Literal Domain | ||
| #2953 | Any Mobile Theme Switcher | 38 | 69 | 59 | 20k+ | Output is not escaped | ||
| #2954 | Aplazame | 38 | 34 | 39 | 600 | Non-prefixed global variable | ||
| #2955 | Attachments | 38 | 238 | 66 | 8k+ | Unsafe printing function | ||
| #2956 | Audio Story Images | 38 | 46 | 44 | 400 | Output is not escaped | ||
| #2957 | Author Category | 38 | 85 | 25 | 4k+ | Output is not escaped | ||
| #2958 | Auto Prune Posts | 38 | 54 | 57 | 1k+ | Output is not escaped | ||
| #2959 | Autologin Links | 38 | 73 | 74 | 8k+ | Output is not escaped | ||
| #2960 | bbPress Login Register Links On Forum Topic Pages | 38 | 142 | 36 | 600 | Text Domain Mismatch | ||
| #2961 | Beauty Form Styler for Gravity Forms | 38 | 70 | 93 | 600 | Output is not escaped | ||
| #2962 | Before After Image Comparison Slider for Elementor | 38 | 63 | 36 | 10k+ | Text Domain Mismatch | ||
| #2963 | Bible Verse of the Day | 38 | 378 | 23 | 3k+ | Unsafe printing function | ||
| #2964 | SoftTech-IT bKash, Rocket, Nagad | 38 | 164 | 81 | 6k+ | Text Domain Mismatch | ||
| #2965 | Blogger Importer | 38 | 44 | 39 | 50k+ | Output is not escaped | ||
| #2966 | Bot Block – Stop Spam Referrals in Google Analytics | 38 | 28 | 42 | 600 | Output is not escaped | ||
| #2967 | BuddyPress Follow | 38 | 114 | 67 | 1k+ | Text Domain Mismatch | ||
| #2968 | Bulgarisation for WooCommerce | 38 | 129 | 592 | 5k+ | Nonce verification recommended | ||
| #2969 | Cache Warmer | 38 | 32 | 219 | 1k+ | Interpolated SQL is not prepared | ||
| #2970 | Car Route Planner Plugin | 38 | 135 | 17 | 400 | Output is not escaped | ||
| #2971 | Certificate Verification | 38 | 33 | 40 | 1k+ | Output is not escaped | ||
| #2972 | WPAppsDev – CF7 Form Submission Limit | 38 | 104 | 33 | 1k+ | Text Domain Mismatch | ||
| #2973 | Contact Form 7 – Post Fields | 38 | 167 | 25 | 3k+ | Text Domain Mismatch | ||
| #2974 | Classic Editor Plus – WordPress Classic Editor plugin by Felix | 38 | 83 | 42 | 500 | Text Domain Mismatch | ||
| #2975 | Clever Mega Menu for Visual Composer | 38 | 500 | 87 | 1k+ | Output is not escaped | ||
| #2976 | Clever Mega Menu for Elementor | 38 | 835 | 44 | 1k+ | Output is not escaped | ||
| #2977 | Chatbot for WordPress by Collect.chat ⚡️ | 38 | 58 | 36 | 6k+ | Unsafe printing function | ||
| #2978 | Colorlib 404 Customizer | 38 | 65 | 15 | 6k+ | Missing direct file access protection | ||
| #2979 | Country Code Selector | 38 | 91 | 20 | 1k+ | Unsafe printing function | ||
| #2980 | country-redirect | 38 | 58 | 19 | 400 | Text Domain Mismatch | ||
| #2981 | Crop-Thumbnails | 38 | 33 | 27 | 40k+ | Missing direct file access protection | ||
| #2982 | One page checkout and layouts for woocommerce | 38 | 83 | 52 | 3k+ | Non-prefixed global variable | ||
| #2983 | Custom post type templates for Elementor | 38 | 289 | 33 | 700 | Text Domain Mismatch | ||
| #2984 | Customize Posts | 38 | 31 | 77 | 1k+ | Non-prefixed hook name | ||
| #2985 | Login Page Customizer – Customize Login Screen & Branding | 38 | 36 | 172 | 1k+ | Non-prefixed function | ||
| #2986 | Darkify – Dark Mode & Night Mode for Website & Admin (Dark Theme Included) | 38 | 38 | 183 | 600 | Non-prefixed global variable | ||
| #2987 | Datafeedr Comparison Sets | 38 | 450 | 53 | 3k+ | Output is not escaped | ||
| #2988 | Decent Comments | 38 | 93 | 28 | 2k+ | Output is not escaped | ||
| #2989 | Responsive Pricing Table | 38 | 309 | 105 | 10k+ | Non Singular String Literal Domain | ||
| #2990 | Product Badge, Label, Countdown Timer for WooCommerce – Sale Booster | 38 | 37 | 98 | 5k+ | Interpolated SQL is not prepared | ||
| #2991 | Easy WP Cleaner | 38 | 58 | 124 | 2k+ | Non-prefixed global variable | ||
| #2992 | Easy Yandex Metrica | 38 | 97 | 48 | 900 | Output is not escaped | ||
| #2993 | Elemailer Lite – Elementor email template & campaign builder | 38 | 44 | 50 | 5k+ | Output is not escaped | ||
| #2994 | Erident Custom Login and Dashboard | 38 | 122 | 28 | 8k+ | Unsafe printing function | ||
| #2995 | EU Cookie Law Compliance | 38 | 151 | 22 | 2k+ | Non Singular String Literal Domain | ||
| #2996 | Export to Blogger | 38 | 47 | 117 | 900 | Non-prefixed global variable | ||
| #2997 | Export User Data | 38 | 187 | 62 | 6k+ | Text Domain Mismatch | ||
| #2998 | Buttonizer – Social Media Share Buttons, Social Icons, & Social Feeds | 38 | 167 | 82 | 50k+ | Output is not escaped | ||
| #2999 | Social Photo Fetcher | 38 | 151 | 43 | 1k+ | Output is not escaped | ||
| #3000 | Social Shop for WooCommerce | 38 | 51 | 24 | 800 | Output is not escaped |