missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3101 | User Specific Content | 38 | 143 | 19 | 1k+ | Text Domain Mismatch | ||
| #3102 | VdoCipher: Secure Video Player and Hosting | 38 | 37 | 54 | 2k+ | Non-prefixed function | ||
| #3103 | Vertical News Scroller | 38 | 118 | 60 | 5k+ | Output is not escaped | ||
| #3104 | FancyTube – Video Gallery, Video Slider, and Playlist Slider for YouTube | 38 | 358 | 34 | 1k+ | Text Domain Mismatch | ||
| #3105 | Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend | 38 | 84 | 49 | 1k+ | Output is not escaped | ||
| #3106 | TWIPLA (Visitor Analytics IO) – Privacy-First Website Stats, Session Recordings, Heatmaps, Polls and Surveys | 38 | 71 | 49 | 900 | Output is not escaped | ||
| #3107 | Visual Admin Customizer | 38 | 20 | 51 | 500 | Input is not sanitized | ||
| #3108 | W2S – Migrate WooCommerce to Shopify | 38 | 33 | 132 | 1k+ | Non-prefixed global variable | ||
| #3109 | Chatbox Manager | 38 | 855 | 78 | 400 | Output is not escaped | ||
| #3110 | WC-AC Hook | 38 | 44 | 72 | 1k+ | Missing nonce verification | ||
| #3111 | Shipping Packages for WooCommerce – Dropship from multiple locations like AliExpress, eBay, Amazon, Etsy | 38 | 94 | 26 | 900 | Non Singular String Literal Domain | ||
| #3112 | SSLCommerz Payment Gateway | 38 | 21 | 132 | 2k+ | Non-prefixed global variable | ||
| #3113 | WDV About Me Widget | 38 | 150 | 8 | 900 | Output is not escaped | ||
| #3114 | White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard | 38 | 205 | 31 | 10k+ | Output is not escaped | ||
| #3115 | WishSuite – Wishlist for WooCommerce | 38 | 76 | 133 | 1k+ | Output is not escaped | ||
| #3116 | Products Coming Soon for WooCommerce | 38 | 151 | 62 | 700 | Output is not escaped | ||
| #3117 | Show Stock Status for WooCommerce | 38 | 30 | 19 | 1k+ | Output is not escaped | ||
| #3118 | Vietnam Checkout for WooCommerce | 38 | 93 | 137 | 10k+ | Nonce verification recommended | ||
| #3119 | Wholesale for WooCommerce | 38 | 541 | 22 | 1k+ | Output is not escaped | ||
| #3120 | WP Hebrew Date | 38 | 102 | 13 | 600 | Output is not escaped | ||
| #3121 | WP 404 Auto Redirect to Similar Post | 38 | 166 | 48 | 30k+ | Text Domain Mismatch | ||
| #3122 | WP Accessibility Helper (WAH) | 38 | 61 | 88 | 10k+ | Missing direct file access protection | ||
| #3123 | WP-Ban | 38 | 99 | 108 | 8k+ | Unsafe printing function | ||
| #3124 | WP-CommentNavi | 38 | 68 | 46 | 700 | Output is not escaped | ||
| #3125 | WP Content Copy Protection with Color Design | 38 | 96 | 61 | 5k+ | Non Singular String Literal Domain | ||
| #3126 | WP-DraftsForFriends | 38 | 141 | 71 | 1k+ | Output is not escaped | ||
| #3127 | WP Mail SMTP SendGrid Edition | 38 | 102 | 19 | 500 | Text Domain Mismatch | ||
| #3128 | WP Mailgun SMTP | 38 | 99 | 51 | 900 | Text Domain Mismatch | ||
| #3129 | mb.miniAudioPlayer – an HTML5 audio player for your mp3 files | 38 | 204 | 6 | 4k+ | Unsafe printing function | ||
| #3130 | Native PHP Sessions | 38 | 30 | 92 | 10k+ | Direct Query | ||
| #3131 | WP Redirects – Contact Form 7 | 38 | 50 | 71 | 400 | Unsafe printing function | ||
| #3132 | WP Safe Mode | 38 | 95 | 55 | 2k+ | Output is not escaped | ||
| #3133 | WP-ServerInfo | 38 | 162 | 55 | 10k+ | Output is not escaped | ||
| #3134 | External Store for Shopify | 38 | 97 | 33 | 2k+ | Output is not escaped | ||
| #3135 | WP Terms Popup – Terms and Conditions and Privacy Policy WordPress Popups | 38 | 299 | 58 | 3k+ | Non Singular String Literal Domain | ||
| #3136 | WP Video Lightbox | 38 | 107 | 67 | 30k+ | Unsafe printing function | ||
| #3137 | WPC Product Options for WooCommerce | 38 | 57 | 182 | 4k+ | Non-prefixed global variable | ||
| #3138 | Responsive Vertical Icon Menu | 38 | 188 | 85 | 700 | Output is not escaped | ||
| #3139 | mb.YTPlayer for background videos | 38 | 80 | 29 | 1k+ | Unsafe printing function | ||
| #3140 | Weather Underground | 38 | 64 | 27 | 3k+ | Output is not escaped | ||
| #3141 | YouTube widget | 38 | 39 | 25 | 400 | Output is not escaped | ||
| #3142 | ZeroBounce Email Verification & Validation | 38 | 299 | 162 | 900 | Text Domain Mismatch | ||
| #3143 | Accounting for WooCommerce | 39 | 87 | 115 | 500 | Unsafe printing function | ||
| #3144 | ACF: Google Font Selector | 39 | 57 | 45 | 3k+ | Output is not escaped | ||
| #3145 | ACF Recent Posts Widget | 39 | 260 | 16 | 500 | Output is not escaped | ||
| #3146 | Add-on Gravity Forms – MailPoet 3 | 39 | 31 | 33 | 600 | Output is not escaped | ||
| #3147 | Add Tiktok Pixel for Tiktok ads (+Woocommerce) | 39 | 94 | 25 | 2k+ | Output is not escaped | ||
| #3148 | Advanced Categories Widget | 39 | 170 | 41 | 800 | Output is not escaped | ||
| #3149 | Advanced Product Fields (Product Addons) for WooCommerce | 39 | 145 | 145 | 50k+ | Output is not escaped | ||
| #3150 | Advanced Recent Posts Widget | 39 | 105 | 2 | 1k+ | Output is not escaped |