missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3001Front-end Editor387862500Output is not escaped
#3002Gecka Submenu38326363k+Output is not escaped
#3003GiveWP Donation Widgets for Elementor38483137k+Text Domain Mismatch
#3004Goal Tracker – Custom Event Tracking for GA438541252k+Output is not escaped
#3005GoodBarber3838731k+Nonce verification recommended
#3006Great Caroussel3860131500SQL query is not prepared
#3007Greek Multi Tool – Greeklish Slugs, Permalinks & Transliteration38160821k+Unsafe printing function
#3008HashThemes Demo Importer3871446k+Output is not escaped
#3009WP Team – WordPress Team Member Plugin3853736500Text Domain Mismatch
#3010Icegram Mailer – Reliable Email Deliverability, No-code SMTP Replacement & Email logs38361062k+Non-prefixed global variable
#3011Illdy Companion38187236k+Output is not escaped
#3012imoje38621602k+Nonce verification recommended
#3013Import to Photo Gallery from NextGen gallery388083400Direct Query
#3014Coding Chicken – JetEngine Importer385529400Missing direct file access protection
#3015Insert PHP Code Snippet3816422790k+Output is not escaped
#30163D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery383537780k+Non Singular String Literal Domain
#3017JC Submenu38279324k+Output is not escaped
#3018Maintenance Redirect3824413210k+Missing Arg Domain
#3019Jupiter X Core387176770k+Non-prefixed global variable
#3020Lightning Advanced Unit38189273k+Output is not escaped
#3021Log Deprecated Notices389273900Text Domain Mismatch
#3022LuckyWP Scripts Control38186233k+Output is not escaped
#3023LWS Cleaner388112920k+Direct Query
#3024Magical Posts Display – Elementor Advanced Posts widgets38115463k+Output is not escaped
#3025Mega Elements – Addons for Elementor381705710k+Output is not escaped
#3026Auto SEO META keywords (META tags keywords) optimization + WooCommerce386334700Output is not escaped
#3027Migrate Store: Export and Import WooCommerce Settings3837331k+Non-prefixed global variable
#3028MimeTypes Link Icons3853348k+Output is not escaped
#3029Group chat for WordPress – Minnit Chat383965500Non-prefixed global variable
#3030Monetag Official Plugin38133325k+Text Domain Mismatch
#3031Most And Least Read Posts Widget38130241k+Output is not escaped
#3032MultiLine Files for Contact Form 73898409k+Text Domain Mismatch
#3033MX Time Zone Clocks38219411k+Output is not escaped
#3034Contact Form Widget38541071k+Request data is not unslashed
#3035Note – A live edit text widget38118491k+Output is not escaped
#3036One Click Demo Import3822841m+Non-prefixed global variable
#3037OneSignal – Web Push Notifications38536470k+Output is not escaped
#3038Open Graphite383802043k+Unsafe printing function
#3039Ozh' Better Feed384535600Heredoc Output Not Escaped
#3040Page Links To383140100k+Unsafe printing function
#3041YAPE A1 Tiendas382443900Missing nonce verification
#3042PayTR Taksit Tablosu – WooCommerce3867393k+Non Singular String Literal Domain
#3043Podlove Subscribe button38148452k+Output is not escaped
#3044Polaroid Gallery38105201k+Unsafe printing function
#3045PopCash Code Integration Tool3877109400Nonce verification recommended
#3046Popular Posts by Webline3825681k+Output is not escaped
#3047Popular Widget386130700Unsafe printing function
#3048Post Slider For WPBakery Page Builder38201141k+Output is not escaped
#3049PostLinks3810710700Output is not escaped
#3050qTranslate META388826400Output is not escaped