missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3151AffiliatePages – Pros & Cons, Notice, and CTA Blocks for Affiliates3991532k+Output is not escaped
#3152AffiliateWP – Affiliate Area Tabs3986263k+Output is not escaped
#3153Load More Anything3938735k+Output is not escaped
#3154Animate It!391371620k+Text Domain Mismatch
#3155Anything Order by Terms3948931k+Direct Query
#3156Ads.txt & App-ads.txt Manager for WordPress3997232k+Output is not escaped
#3157Archive Control39151671k+Unsafe printing function
#3158Australia Post WooCommerce Extension3999123k+Text Domain Mismatch
#3159Header Footer for Beaver Builder39393110k+Output is not escaped
#3160Better Random Redirect398840700Text Domain Mismatch
#3161Billplz for WooCommerce39289656k+Text Domain Mismatch
#3162BIP Pages399825400Short PHP open tag found
#3163Birds Custom Login39196234k+Non Singular String Literal Domain
#3164Block Editor Bootstrap Blocks3917350900Text Domain Mismatch
#3165Bogo393013910k+Request data is not unslashed
#3166BOX NOW Delivery Croatia396499800Missing nonce verification
#3167BST DSGVO Cookie396175k+Unsafe printing function
#3168BuddyPress Default Cover Photo396239500Output is not escaped
#3169BugSnag Error Monitoring plugin3952962k+wp function not compatible with requires wp
#3170Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)39164710k+Request data is not unslashed
#3171Bulk NoIndex & NoFollow Toolkit39721722k+Nonce verification recommended
#3172Better WordPress External Links3913035400Non Singular String Literal Domain
#3173Cache Images3972271k+Unsafe printing function
#3174CatFolders Document Gallery & PDF Library3966323k+Output is not escaped
#3175Saitama Addon Pack39152271k+Output is not escaped
#3176Contact Form 7 extension for Google Map fields3911858500Missing Arg Domain
#3177Innozilla Skins for Contact Form 739152222k+Output is not escaped
#3178Configurable Tag Cloud (CTC)391261212k+Output is not escaped
#3179Constant Contact + WooCommerce3927911k+Nonce verification recommended
#3180Contact Form 7 – Dynamic Text Extension3910328100k+Output is not escaped
#3181Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR)39284580k+Missing nonce verification
#3182Cookies for Comments39222920k+Input is not validated
#3183Country & Phone Field Contact Form 7391173440k+Text Domain Mismatch
#3184Culqi39571881k+Text Domain Mismatch
#3185Custom Metadata Manager398120700Output is not escaped
#3186Custom Post Order391432400Input is not sanitized
#3187Custom Post Type Auto Menu395433500Text Domain Mismatch
#3188Custom Post Type Parents397518900Output is not escaped
#3189Custom Related Posts39131343k+Output is not escaped
#3190Da Reactions3915140400Request data is not unslashed
#3191Deliverability – pass DKIM, SPF, DMARC & more392171800Nonce verification recommended
#3192Drip for Gravity Forms394121500Unsafe printing function
#3193Dublin Core Metadata Generator397415900Output is not escaped
#3194Duplicate Killer – Prevent Duplicate Form Submissions39571031k+Non-prefixed global variable
#3195WeShareAI – AI-Powered Share Buttons (formerly E-MAILiT)3916524700Unsafe printing function
#3196Editor Menu and Widget Access3981247k+Output is not escaped
#3197Caldera Forms styler for Elementor Page Builder3917312700Text Domain Mismatch
#3198ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor39733481m+Non-prefixed global variable
#3199Email Marketing by EmailOctopus3943623k+Non-prefixed global variable
#3200Enhanced Admin Bar with Codex Search396431k+Missing Arg Domain