missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3051 | qTranslate X Cleanup and WPML Import | 38 | 167 | 102 | 800 | Text Domain Mismatch | ||
| #3052 | Quick Download Button | 38 | 34 | 123 | 2k+ | Non-prefixed global variable | ||
| #3053 | RDP Wiki Embed | 38 | 69 | 26 | 400 | Output is not escaped | ||
| #3054 | Recent Posts Plus | 38 | 111 | 4 | 1k+ | Output is not escaped | ||
| #3055 | Logo Carousel – Display Brand or Client Logos in Slider | 38 | 524 | 42 | 800 | Output is not escaped | ||
| #3056 | Responsive Mailform ( Plugin Version ) – easy, responsive, contact, mailform | 38 | 120 | 107 | 500 | Output is not escaped | ||
| #3057 | WP REST API – OAuth 1.0a Server | 38 | 100 | 85 | 8k+ | Text Domain Mismatch | ||
| #3058 | Like This | 38 | 60 | 17 | 1k+ | Output is not escaped | ||
| #3059 | SCSS WP Editor | 38 | 111 | 40 | 900 | Exception output is not escaped | ||
| #3060 | Author Image | 38 | 51 | 33 | 1k+ | Output is not escaped | ||
| #3061 | Shapely Companion | 38 | 49 | 39 | 10k+ | Output is not escaped | ||
| #3062 | ShiftNav – Responsive Mobile Menu | 38 | 249 | 35 | 10k+ | Text Domain Mismatch | ||
| #3063 | Snippet Shortcodes | 38 | 359 | 133 | 4k+ | Non Singular String Literal Domain | ||
| #3064 | Shutter Reloaded | 38 | 194 | 95 | 1k+ | Text Domain Mismatch | ||
| #3065 | Simple Expires | 38 | 32 | 39 | 500 | Non Singular String Literal Domain | ||
| #3066 | Simple JWT Login – Allows you to use JWT on REST endpoints. | 38 | 712 | 95 | 4k+ | Output is not escaped | ||
| #3067 | Simple Keyword to Link | 38 | 90 | 49 | 3k+ | Non Singular String Literal Domain | ||
| #3068 | Simple LDAP Login | 38 | 65 | 33 | 1k+ | Output is not escaped | ||
| #3069 | Simple Visitor Counter | 38 | 41 | 27 | 700 | Output is not escaped | ||
| #3070 | SimpleShop | 38 | 52 | 51 | 1k+ | date date | ||
| #3071 | Slickstream: Engagement and Conversions | 38 | 100 | 19 | 2k+ | Output is not escaped | ||
| #3072 | Slickplan Importer | 38 | 40 | 58 | 400 | Non-prefixed global variable | ||
| #3073 | Smart Cookie Kit | 38 | 263 | 81 | 3k+ | Output is not escaped | ||
| #3074 | Smart Maintenance Mode | 38 | 137 | 128 | 1k+ | Output is not escaped | ||
| #3075 | Social Icons | 38 | 72 | 83 | 10k+ | Output is not escaped | ||
| #3076 | SOGO Accessibility | 38 | 147 | 40 | 5k+ | Non Singular String Literal Domain | ||
| #3077 | Stock Market News | 38 | 71 | 11 | 500 | Output is not escaped | ||
| #3078 | Stock Market Overview | 38 | 86 | 14 | 1k+ | Output is not escaped | ||
| #3079 | Stock Market Ticker | 38 | 69 | 14 | 3k+ | Output is not escaped | ||
| #3080 | Stock Quotes List | 38 | 72 | 13 | 600 | Output is not escaped | ||
| #3081 | Super Simple Slider | 38 | 55 | 55 | 1k+ | Non-prefixed global variable | ||
| #3082 | Swiper Js Slider | 38 | 125 | 35 | 400 | Output is not escaped | ||
| #3083 | Logo Slider , Logo Carousel , Logo showcase , Client Logo | 38 | 72 | 22 | 1k+ | Output is not escaped | ||
| #3084 | Templatiq | 38 | 31 | 94 | 900 | Non-prefixed hook name | ||
| #3085 | Product Compare for WooCommerce | 38 | 55 | 191 | 3k+ | Non-prefixed global variable | ||
| #3086 | Variation Swatches for WooCommerce | 38 | 45 | 65 | 2k+ | Output is not escaped | ||
| #3087 | Theme Blvd Widget Pack | 38 | 240 | 17 | 1k+ | Output is not escaped | ||
| #3088 | Broadcast | 38 | 21 | 107 | 1k+ | Direct Query | ||
| #3089 | TopList.cz | 38 | 138 | 7 | 400 | Output is not escaped | ||
| #3090 | Trackserver | 38 | 17 | 356 | 400 | Input is not sanitized | ||
| #3091 | Plugin Name: Traffic Stats Widget Plugin | 38 | 69 | 107 | 600 | Output is not escaped | ||
| #3092 | Trash Duplicate and 301 Redirect | 38 | 13 | 103 | 1k+ | Nonce verification recommended | ||
| #3093 | TRUENDO | GDPR Compliant Cookie Manager | 38 | 98 | 38 | 600 | Output is not escaped | ||
| #3094 | Sidebar Login Widget | 38 | 90 | 16 | 700 | Output is not escaped | ||
| #3095 | Twenty Eleven Theme Extensions | 38 | 35 | 30 | 3k+ | Output is not escaped | ||
| #3096 | Twiget Twitter Widget | 38 | 147 | 36 | 500 | Output is not escaped | ||
| #3097 | Twitter for WordPress | 38 | 47 | 24 | 1k+ | Output is not escaped | ||
| #3098 | TypePad emoji for TinyMCE | 38 | 100 | 24 | 8k+ | Text Domain Mismatch | ||
| #3099 | Termly – GDPR/CCPA Cookie Consent Banner | 38 | 54 | 92 | 80k+ | Non-prefixed global variable | ||
| #3100 | Ultimate Member Widgets for Elementor – Login Form, Register Form & User Directory | 38 | 17 | 110 | 400 | Non-prefixed namespace |