missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3151 | AffiliatePages – Pros & Cons, Notice, and CTA Blocks for Affiliates | 39 | 91 | 53 | 2k+ | Output is not escaped | ||
| #3152 | AffiliateWP – Affiliate Area Tabs | 39 | 86 | 26 | 3k+ | Output is not escaped | ||
| #3153 | Load More Anything | 39 | 38 | 73 | 5k+ | Output is not escaped | ||
| #3154 | Animate It! | 39 | 137 | 16 | 20k+ | Text Domain Mismatch | ||
| #3155 | Anything Order by Terms | 39 | 48 | 93 | 1k+ | Direct Query | ||
| #3156 | Ads.txt & App-ads.txt Manager for WordPress | 39 | 97 | 23 | 2k+ | Output is not escaped | ||
| #3157 | Archive Control | 39 | 151 | 67 | 1k+ | Unsafe printing function | ||
| #3158 | Australia Post WooCommerce Extension | 39 | 99 | 12 | 3k+ | Text Domain Mismatch | ||
| #3159 | Header Footer for Beaver Builder | 39 | 39 | 31 | 10k+ | Output is not escaped | ||
| #3160 | Better Random Redirect | 39 | 88 | 40 | 700 | Text Domain Mismatch | ||
| #3161 | Billplz for WooCommerce | 39 | 289 | 65 | 6k+ | Text Domain Mismatch | ||
| #3162 | BIP Pages | 39 | 98 | 25 | 400 | Short PHP open tag found | ||
| #3163 | Birds Custom Login | 39 | 196 | 23 | 4k+ | Non Singular String Literal Domain | ||
| #3164 | Block Editor Bootstrap Blocks | 39 | 173 | 50 | 900 | Text Domain Mismatch | ||
| #3165 | Bogo | 39 | 30 | 139 | 10k+ | Request data is not unslashed | ||
| #3166 | BOX NOW Delivery Croatia | 39 | 64 | 99 | 800 | Missing nonce verification | ||
| #3167 | BST DSGVO Cookie | 39 | 61 | 7 | 5k+ | Unsafe printing function | ||
| #3168 | BuddyPress Default Cover Photo | 39 | 62 | 39 | 500 | Output is not escaped | ||
| #3169 | BugSnag Error Monitoring plugin | 39 | 52 | 96 | 2k+ | wp function not compatible with requires wp | ||
| #3170 | Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO) | 39 | 16 | 47 | 10k+ | Request data is not unslashed | ||
| #3171 | Bulk NoIndex & NoFollow Toolkit | 39 | 72 | 172 | 2k+ | Nonce verification recommended | ||
| #3172 | Better WordPress External Links | 39 | 130 | 35 | 400 | Non Singular String Literal Domain | ||
| #3173 | Cache Images | 39 | 72 | 27 | 1k+ | Unsafe printing function | ||
| #3174 | CatFolders Document Gallery & PDF Library | 39 | 66 | 32 | 3k+ | Output is not escaped | ||
| #3175 | Saitama Addon Pack | 39 | 152 | 27 | 1k+ | Output is not escaped | ||
| #3176 | Contact Form 7 extension for Google Map fields | 39 | 118 | 58 | 500 | Missing Arg Domain | ||
| #3177 | Innozilla Skins for Contact Form 7 | 39 | 152 | 22 | 2k+ | Output is not escaped | ||
| #3178 | Configurable Tag Cloud (CTC) | 39 | 126 | 121 | 2k+ | Output is not escaped | ||
| #3179 | Constant Contact + WooCommerce | 39 | 27 | 91 | 1k+ | Nonce verification recommended | ||
| #3180 | Contact Form 7 – Dynamic Text Extension | 39 | 103 | 28 | 100k+ | Output is not escaped | ||
| #3181 | Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR) | 39 | 28 | 45 | 80k+ | Missing nonce verification | ||
| #3182 | Cookies for Comments | 39 | 22 | 29 | 20k+ | Input is not validated | ||
| #3183 | Country & Phone Field Contact Form 7 | 39 | 117 | 34 | 40k+ | Text Domain Mismatch | ||
| #3184 | Culqi | 39 | 571 | 88 | 1k+ | Text Domain Mismatch | ||
| #3185 | Custom Metadata Manager | 39 | 81 | 20 | 700 | Output is not escaped | ||
| #3186 | Custom Post Order | 39 | 14 | 32 | 400 | Input is not sanitized | ||
| #3187 | Custom Post Type Auto Menu | 39 | 54 | 33 | 500 | Text Domain Mismatch | ||
| #3188 | Custom Post Type Parents | 39 | 75 | 18 | 900 | Output is not escaped | ||
| #3189 | Custom Related Posts | 39 | 131 | 34 | 3k+ | Output is not escaped | ||
| #3190 | Da Reactions | 39 | 15 | 140 | 400 | Request data is not unslashed | ||
| #3191 | Deliverability – pass DKIM, SPF, DMARC & more | 39 | 21 | 71 | 800 | Nonce verification recommended | ||
| #3192 | Drip for Gravity Forms | 39 | 41 | 21 | 500 | Unsafe printing function | ||
| #3193 | Dublin Core Metadata Generator | 39 | 74 | 15 | 900 | Output is not escaped | ||
| #3194 | Duplicate Killer – Prevent Duplicate Form Submissions | 39 | 57 | 103 | 1k+ | Non-prefixed global variable | ||
| #3195 | WeShareAI – AI-Powered Share Buttons (formerly E-MAILiT) | 39 | 165 | 24 | 700 | Unsafe printing function | ||
| #3196 | Editor Menu and Widget Access | 39 | 81 | 24 | 7k+ | Output is not escaped | ||
| #3197 | Caldera Forms styler for Elementor Page Builder | 39 | 173 | 12 | 700 | Text Domain Mismatch | ||
| #3198 | ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor | 39 | 73 | 348 | 1m+ | Non-prefixed global variable | ||
| #3199 | Email Marketing by EmailOctopus | 39 | 43 | 62 | 3k+ | Non-prefixed global variable | ||
| #3200 | Enhanced Admin Bar with Codex Search | 39 | 64 | 3 | 1k+ | Missing Arg Domain |