missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2951Alphabetic Pagination38144117500Unsafe printing function
#2952Announcement Bar38192613k+Non Singular String Literal Domain
#2953Any Mobile Theme Switcher38695920k+Output is not escaped
#2954Aplazame383439600Non-prefixed global variable
#2955Attachments38238668k+Unsafe printing function
#2956Audio Story Images384644400Output is not escaped
#2957Author Category3885254k+Output is not escaped
#2958Auto Prune Posts3854571k+Output is not escaped
#2959Autologin Links3873748k+Output is not escaped
#2960bbPress Login Register Links On Forum Topic Pages3814236600Text Domain Mismatch
#2961Beauty Form Styler for Gravity Forms387093600Output is not escaped
#2962Before After Image Comparison Slider for Elementor38633610k+Text Domain Mismatch
#2963Bible Verse of the Day38378233k+Unsafe printing function
#2964SoftTech-IT bKash, Rocket, Nagad38164816k+Text Domain Mismatch
#2965Blogger Importer38443950k+Output is not escaped
#2966Bot Block – Stop Spam Referrals in Google Analytics382842600Output is not escaped
#2967BuddyPress Follow38114671k+Text Domain Mismatch
#2968Bulgarisation for WooCommerce381295925k+Nonce verification recommended
#2969Cache Warmer38322191k+Interpolated SQL is not prepared
#2970Car Route Planner Plugin3813517400Output is not escaped
#2971Certificate Verification3833401k+Output is not escaped
#2972WPAppsDev – CF7 Form Submission Limit38104331k+Text Domain Mismatch
#2973Contact Form 7 – Post Fields38167253k+Text Domain Mismatch
#2974Classic Editor Plus – WordPress Classic Editor plugin by Felix388342500Text Domain Mismatch
#2975Clever Mega Menu for Visual Composer38500871k+Output is not escaped
#2976Clever Mega Menu for Elementor38835441k+Output is not escaped
#2977Chatbot for WordPress by Collect.chat ⚡️3858366k+Unsafe printing function
#2978Colorlib 404 Customizer3865156k+Missing direct file access protection
#2979Country Code Selector3891201k+Unsafe printing function
#2980country-redirect385819400Text Domain Mismatch
#2981Crop-Thumbnails38332740k+Missing direct file access protection
#2982One page checkout and layouts for woocommerce3883523k+Non-prefixed global variable
#2983Custom post type templates for Elementor3828933700Text Domain Mismatch
#2984Customize Posts3831771k+Non-prefixed hook name
#2985Login Page Customizer – Customize Login Screen & Branding38361721k+Non-prefixed function
#2986Darkify – Dark Mode & Night Mode for Website & Admin (Dark Theme Included)3838183600Non-prefixed global variable
#2987Datafeedr Comparison Sets38450533k+Output is not escaped
#2988Decent Comments3893282k+Output is not escaped
#2989Responsive Pricing Table3830910510k+Non Singular String Literal Domain
#2990Product Badge, Label, Countdown Timer for WooCommerce – Sale Booster3837985k+Interpolated SQL is not prepared
#2991Easy WP Cleaner38581242k+Non-prefixed global variable
#2992Easy Yandex Metrica389748900Output is not escaped
#2993Elemailer Lite – Elementor email template & campaign builder3844505k+Output is not escaped
#2994Erident Custom Login and Dashboard38122288k+Unsafe printing function
#2995EU Cookie Law Compliance38151222k+Non Singular String Literal Domain
#2996Export to Blogger3847117900Non-prefixed global variable
#2997Export User Data38187626k+Text Domain Mismatch
#2998Buttonizer – Social Media Share Buttons, Social Icons, & Social Feeds381678250k+Output is not escaped
#2999Social Photo Fetcher38151431k+Output is not escaped
#3000Social Shop for WooCommerce385124800Output is not escaped