missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3101User Specific Content38143191k+Text Domain Mismatch
#3102VdoCipher: Secure Video Player and Hosting3837542k+Non-prefixed function
#3103Vertical News Scroller38118605k+Output is not escaped
#3104FancyTube – Video Gallery, Video Slider, and Playlist Slider for YouTube38358341k+Text Domain Mismatch
#3105Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend3884491k+Output is not escaped
#3106TWIPLA (Visitor Analytics IO) – Privacy-First Website Stats, Session Recordings, Heatmaps, Polls and Surveys387149900Output is not escaped
#3107Visual Admin Customizer382051500Input is not sanitized
#3108W2S – Migrate WooCommerce to Shopify38331321k+Non-prefixed global variable
#3109Chatbox Manager3885578400Output is not escaped
#3110WC-AC Hook3844721k+Missing nonce verification
#3111Shipping Packages for WooCommerce – Dropship from multiple locations like AliExpress, eBay, Amazon, Etsy389426900Non Singular String Literal Domain
#3112SSLCommerz Payment Gateway38211322k+Non-prefixed global variable
#3113WDV About Me Widget381508900Output is not escaped
#3114White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard382053110k+Output is not escaped
#3115WishSuite – Wishlist for WooCommerce38761331k+Output is not escaped
#3116Products Coming Soon for WooCommerce3815162700Output is not escaped
#3117Show Stock Status for WooCommerce3830191k+Output is not escaped
#3118Vietnam Checkout for WooCommerce389313710k+Nonce verification recommended
#3119Wholesale for WooCommerce38541221k+Output is not escaped
#3120WP Hebrew Date3810213600Output is not escaped
#3121WP 404 Auto Redirect to Similar Post381664830k+Text Domain Mismatch
#3122WP Accessibility Helper (WAH)38618810k+Missing direct file access protection
#3123WP-Ban38991088k+Unsafe printing function
#3124WP-CommentNavi386846700Output is not escaped
#3125WP Content Copy Protection with Color Design3896615k+Non Singular String Literal Domain
#3126WP-DraftsForFriends38141711k+Output is not escaped
#3127WP Mail SMTP SendGrid Edition3810219500Text Domain Mismatch
#3128WP Mailgun SMTP389951900Text Domain Mismatch
#3129mb.miniAudioPlayer – an HTML5 audio player for your mp3 files3820464k+Unsafe printing function
#3130Native PHP Sessions38309210k+Direct Query
#3131WP Redirects – Contact Form 7385071400Unsafe printing function
#3132WP Safe Mode3895552k+Output is not escaped
#3133WP-ServerInfo381625510k+Output is not escaped
#3134External Store for Shopify3897332k+Output is not escaped
#3135WP Terms Popup – Terms and Conditions and Privacy Policy WordPress Popups38299583k+Non Singular String Literal Domain
#3136WP Video Lightbox381076730k+Unsafe printing function
#3137WPC Product Options for WooCommerce38571824k+Non-prefixed global variable
#3138Responsive Vertical Icon Menu3818885700Output is not escaped
#3139mb.YTPlayer for background videos3880291k+Unsafe printing function
#3140Weather Underground3864273k+Output is not escaped
#3141YouTube widget383925400Output is not escaped
#3142ZeroBounce Email Verification & Validation38299162900Text Domain Mismatch
#3143Accounting for WooCommerce3987115500Unsafe printing function
#3144ACF: Google Font Selector3957453k+Output is not escaped
#3145ACF Recent Posts Widget3926016500Output is not escaped
#3146Add-on Gravity Forms – MailPoet 3393133600Output is not escaped
#3147Add Tiktok Pixel for Tiktok ads (+Woocommerce)3994252k+Output is not escaped
#3148Advanced Categories Widget3917041800Output is not escaped
#3149Advanced Product Fields (Product Addons) for WooCommerce3914514550k+Output is not escaped
#3150Advanced Recent Posts Widget3910521k+Output is not escaped