missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3001 | Front-end Editor | 38 | 78 | 62 | 500 | Output is not escaped | ||
| #3002 | Gecka Submenu | 38 | 326 | 36 | 3k+ | Output is not escaped | ||
| #3003 | GiveWP Donation Widgets for Elementor | 38 | 483 | 13 | 7k+ | Text Domain Mismatch | ||
| #3004 | Goal Tracker – Custom Event Tracking for GA4 | 38 | 541 | 25 | 2k+ | Output is not escaped | ||
| #3005 | GoodBarber | 38 | 38 | 73 | 1k+ | Nonce verification recommended | ||
| #3006 | Great Caroussel | 38 | 60 | 131 | 500 | SQL query is not prepared | ||
| #3007 | Greek Multi Tool – Greeklish Slugs, Permalinks & Transliteration | 38 | 160 | 82 | 1k+ | Unsafe printing function | ||
| #3008 | HashThemes Demo Importer | 38 | 71 | 44 | 6k+ | Output is not escaped | ||
| #3009 | WP Team – WordPress Team Member Plugin | 38 | 537 | 36 | 500 | Text Domain Mismatch | ||
| #3010 | Icegram Mailer – Reliable Email Deliverability, No-code SMTP Replacement & Email logs | 38 | 36 | 106 | 2k+ | Non-prefixed global variable | ||
| #3011 | Illdy Companion | 38 | 187 | 23 | 6k+ | Output is not escaped | ||
| #3012 | imoje | 38 | 62 | 160 | 2k+ | Nonce verification recommended | ||
| #3013 | Import to Photo Gallery from NextGen gallery | 38 | 80 | 83 | 400 | Direct Query | ||
| #3014 | Coding Chicken – JetEngine Importer | 38 | 55 | 29 | 400 | Missing direct file access protection | ||
| #3015 | Insert PHP Code Snippet | 38 | 164 | 227 | 90k+ | Output is not escaped | ||
| #3016 | 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery | 38 | 353 | 77 | 80k+ | Non Singular String Literal Domain | ||
| #3017 | JC Submenu | 38 | 279 | 32 | 4k+ | Output is not escaped | ||
| #3018 | Maintenance Redirect | 38 | 244 | 132 | 10k+ | Missing Arg Domain | ||
| #3019 | Jupiter X Core | 38 | 71 | 767 | 70k+ | Non-prefixed global variable | ||
| #3020 | Lightning Advanced Unit | 38 | 189 | 27 | 3k+ | Output is not escaped | ||
| #3021 | Log Deprecated Notices | 38 | 92 | 73 | 900 | Text Domain Mismatch | ||
| #3022 | LuckyWP Scripts Control | 38 | 186 | 23 | 3k+ | Output is not escaped | ||
| #3023 | LWS Cleaner | 38 | 81 | 129 | 20k+ | Direct Query | ||
| #3024 | Magical Posts Display – Elementor Advanced Posts widgets | 38 | 115 | 46 | 3k+ | Output is not escaped | ||
| #3025 | Mega Elements – Addons for Elementor | 38 | 170 | 57 | 10k+ | Output is not escaped | ||
| #3026 | Auto SEO META keywords (META tags keywords) optimization + WooCommerce | 38 | 63 | 34 | 700 | Output is not escaped | ||
| #3027 | Migrate Store: Export and Import WooCommerce Settings | 38 | 37 | 33 | 1k+ | Non-prefixed global variable | ||
| #3028 | MimeTypes Link Icons | 38 | 53 | 34 | 8k+ | Output is not escaped | ||
| #3029 | Group chat for WordPress – Minnit Chat | 38 | 39 | 65 | 500 | Non-prefixed global variable | ||
| #3030 | Monetag Official Plugin | 38 | 133 | 32 | 5k+ | Text Domain Mismatch | ||
| #3031 | Most And Least Read Posts Widget | 38 | 130 | 24 | 1k+ | Output is not escaped | ||
| #3032 | MultiLine Files for Contact Form 7 | 38 | 98 | 40 | 9k+ | Text Domain Mismatch | ||
| #3033 | MX Time Zone Clocks | 38 | 219 | 41 | 1k+ | Output is not escaped | ||
| #3034 | Contact Form Widget | 38 | 54 | 107 | 1k+ | Request data is not unslashed | ||
| #3035 | Note – A live edit text widget | 38 | 118 | 49 | 1k+ | Output is not escaped | ||
| #3036 | One Click Demo Import | 38 | 22 | 84 | 1m+ | Non-prefixed global variable | ||
| #3037 | OneSignal – Web Push Notifications | 38 | 53 | 64 | 70k+ | Output is not escaped | ||
| #3038 | Open Graphite | 38 | 380 | 204 | 3k+ | Unsafe printing function | ||
| #3039 | Ozh' Better Feed | 38 | 45 | 35 | 600 | Heredoc Output Not Escaped | ||
| #3040 | Page Links To | 38 | 31 | 40 | 100k+ | Unsafe printing function | ||
| #3041 | YAPE A1 Tiendas | 38 | 24 | 43 | 900 | Missing nonce verification | ||
| #3042 | PayTR Taksit Tablosu – WooCommerce | 38 | 67 | 39 | 3k+ | Non Singular String Literal Domain | ||
| #3043 | Podlove Subscribe button | 38 | 148 | 45 | 2k+ | Output is not escaped | ||
| #3044 | Polaroid Gallery | 38 | 105 | 20 | 1k+ | Unsafe printing function | ||
| #3045 | PopCash Code Integration Tool | 38 | 77 | 109 | 400 | Nonce verification recommended | ||
| #3046 | Popular Posts by Webline | 38 | 256 | 8 | 1k+ | Output is not escaped | ||
| #3047 | Popular Widget | 38 | 61 | 30 | 700 | Unsafe printing function | ||
| #3048 | Post Slider For WPBakery Page Builder | 38 | 201 | 14 | 1k+ | Output is not escaped | ||
| #3049 | PostLinks | 38 | 107 | 10 | 700 | Output is not escaped | ||
| #3050 | qTranslate META | 38 | 88 | 26 | 400 | Output is not escaped |