missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3251Modal Dialog396464500Output is not escaped
#3252Movable Type and TypePad Importer39422520k+Output is not escaped
#3253Multilingual Contact Form 7 with Polylang3950309k+Text Domain Mismatch
#3254Open Graph Pro3952131k+Output is not escaped
#3255SOGO Add Script to Individual Pages Header Footer39744020k+Output is not escaped
#3256OneSignal Sender3911250400Output is not escaped
#3257Page List Widget391506400Output is not escaped
#3258Pay by paynow.pl3951566k+Output is not escaped
#3259Designil PDPA Thailand39131363k+Output is not escaped
#3260PO/MO Editor39106451k+Unsafe printing function
#3261Posts By Tag39151301k+Output is not escaped
#3262PickPlugins Pricing Table3931711k+Missing nonce verification
#3263Privilege Menu39215491k+Text Domain Mismatch
#3264QR Redirector3948544k+Output is not escaped
#3265Quantcast Choice39227113k+Text Domain Mismatch
#3266Query Multiple Taxonomies395541500Output is not escaped
#3267Quform Mailchimp3965147800Nonce verification recommended
#3268Quform Zapier39601231k+Nonce verification recommended
#3269Simple Webchat391422041k+Output is not escaped
#3270Radio Buttons for Taxonomies39402420k+Output is not escaped
#3271Really Simple Gallery Widget3911490700Non-prefixed global variable
#3272Recent Posts with Excerpts391382700Output is not escaped
#3273Redirect 404 Error Page to Homepage or Custom Page with Logs39275310k+Nonce verification recommended
#3274Responsify WP399011600Unsafe printing function
#3275RioVizual — Table Blocks for Comparison, Pricing and Pros & Cons3932751k+Nonce verification recommended
#3276Rollbar397514400Output is not escaped
#3277Royal Mail Shipping Calculator for WooCommerce3961311k+Text Domain Mismatch
#3278Scripts n Styles391509230k+Output is not escaped
#3279Easy Smooth Scroll Links39645600Output is not escaped
#3280SEO Auto Linker3990241k+Text Domain Mismatch
#3281SEO Friendly Images392922020k+Output is not escaped
#3282Shipping by Rules for WooCommerce3913048500Output is not escaped
#3283Shipping Simulator for WooCommerce39120395k+Text Domain Mismatch
#3284Show All Comments3910892400Nonce verification recommended
#3285Simpaisa Wallet (Jazzcash & Easypaisa) Payment Services3967741k+Interpolated Variable Text
#3286Simple Membership WP user Import3922464k+Request data is not unslashed
#3287Simple Posts Ticker – Easy, Lightweight & Flexible39151282k+Output is not escaped
#3288Simple Staff List39902363k+Non-prefixed global variable
#3289SimpleModal Login395012700Unsafe printing function
#3290SKP WP Admin Login Captcha3977181k+Output is not escaped
#3291Slash Admin3911638500Output is not escaped
#3292Slider Text Scroll399552400Text Domain Mismatch
#3293Slideshow SE39352402k+Non-prefixed global variable
#3294Smaily for WP395236600Output is not escaped
#3295Smart Archives Reloaded3978361k+Non Singular String Literal Domain
#3296SMTP395415700Non Singular String Literal Domain
#3297Soumettre.fr391302610k+Text Domain Mismatch
#3298Stock Ticker3992492k+Output is not escaped
#3299Stockdio Historical Chart396516800Output is not escaped
#3300Store Locator for WordPress📍39100361k+Missing Arg Domain