missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3251 | Modal Dialog | 39 | 64 | 64 | 500 | Output is not escaped | ||
| #3252 | Movable Type and TypePad Importer | 39 | 42 | 25 | 20k+ | Output is not escaped | ||
| #3253 | Multilingual Contact Form 7 with Polylang | 39 | 50 | 30 | 9k+ | Text Domain Mismatch | ||
| #3254 | Open Graph Pro | 39 | 52 | 13 | 1k+ | Output is not escaped | ||
| #3255 | SOGO Add Script to Individual Pages Header Footer | 39 | 74 | 40 | 20k+ | Output is not escaped | ||
| #3256 | OneSignal Sender | 39 | 112 | 50 | 400 | Output is not escaped | ||
| #3257 | Page List Widget | 39 | 150 | 6 | 400 | Output is not escaped | ||
| #3258 | Pay by paynow.pl | 39 | 51 | 56 | 6k+ | Output is not escaped | ||
| #3259 | Designil PDPA Thailand | 39 | 131 | 36 | 3k+ | Output is not escaped | ||
| #3260 | PO/MO Editor | 39 | 106 | 45 | 1k+ | Unsafe printing function | ||
| #3261 | Posts By Tag | 39 | 151 | 30 | 1k+ | Output is not escaped | ||
| #3262 | PickPlugins Pricing Table | 39 | 3 | 171 | 1k+ | Missing nonce verification | ||
| #3263 | Privilege Menu | 39 | 215 | 49 | 1k+ | Text Domain Mismatch | ||
| #3264 | QR Redirector | 39 | 48 | 54 | 4k+ | Output is not escaped | ||
| #3265 | Quantcast Choice | 39 | 227 | 11 | 3k+ | Text Domain Mismatch | ||
| #3266 | Query Multiple Taxonomies | 39 | 55 | 41 | 500 | Output is not escaped | ||
| #3267 | Quform Mailchimp | 39 | 65 | 147 | 800 | Nonce verification recommended | ||
| #3268 | Quform Zapier | 39 | 60 | 123 | 1k+ | Nonce verification recommended | ||
| #3269 | Simple Webchat | 39 | 142 | 204 | 1k+ | Output is not escaped | ||
| #3270 | Radio Buttons for Taxonomies | 39 | 40 | 24 | 20k+ | Output is not escaped | ||
| #3271 | Really Simple Gallery Widget | 39 | 114 | 90 | 700 | Non-prefixed global variable | ||
| #3272 | Recent Posts with Excerpts | 39 | 138 | 2 | 700 | Output is not escaped | ||
| #3273 | Redirect 404 Error Page to Homepage or Custom Page with Logs | 39 | 27 | 53 | 10k+ | Nonce verification recommended | ||
| #3274 | Responsify WP | 39 | 90 | 11 | 600 | Unsafe printing function | ||
| #3275 | RioVizual — Table Blocks for Comparison, Pricing and Pros & Cons | 39 | 32 | 75 | 1k+ | Nonce verification recommended | ||
| #3276 | Rollbar | 39 | 75 | 14 | 400 | Output is not escaped | ||
| #3277 | Royal Mail Shipping Calculator for WooCommerce | 39 | 61 | 31 | 1k+ | Text Domain Mismatch | ||
| #3278 | Scripts n Styles | 39 | 150 | 92 | 30k+ | Output is not escaped | ||
| #3279 | Easy Smooth Scroll Links | 39 | 64 | 5 | 600 | Output is not escaped | ||
| #3280 | SEO Auto Linker | 39 | 90 | 24 | 1k+ | Text Domain Mismatch | ||
| #3281 | SEO Friendly Images | 39 | 292 | 20 | 20k+ | Output is not escaped | ||
| #3282 | Shipping by Rules for WooCommerce | 39 | 130 | 48 | 500 | Output is not escaped | ||
| #3283 | Shipping Simulator for WooCommerce | 39 | 120 | 39 | 5k+ | Text Domain Mismatch | ||
| #3284 | Show All Comments | 39 | 108 | 92 | 400 | Nonce verification recommended | ||
| #3285 | Simpaisa Wallet (Jazzcash & Easypaisa) Payment Services | 39 | 67 | 74 | 1k+ | Interpolated Variable Text | ||
| #3286 | Simple Membership WP user Import | 39 | 22 | 46 | 4k+ | Request data is not unslashed | ||
| #3287 | Simple Posts Ticker – Easy, Lightweight & Flexible | 39 | 151 | 28 | 2k+ | Output is not escaped | ||
| #3288 | Simple Staff List | 39 | 90 | 236 | 3k+ | Non-prefixed global variable | ||
| #3289 | SimpleModal Login | 39 | 50 | 12 | 700 | Unsafe printing function | ||
| #3290 | SKP WP Admin Login Captcha | 39 | 77 | 18 | 1k+ | Output is not escaped | ||
| #3291 | Slash Admin | 39 | 116 | 38 | 500 | Output is not escaped | ||
| #3292 | Slider Text Scroll | 39 | 95 | 52 | 400 | Text Domain Mismatch | ||
| #3293 | Slideshow SE | 39 | 35 | 240 | 2k+ | Non-prefixed global variable | ||
| #3294 | Smaily for WP | 39 | 52 | 36 | 600 | Output is not escaped | ||
| #3295 | Smart Archives Reloaded | 39 | 78 | 36 | 1k+ | Non Singular String Literal Domain | ||
| #3296 | SMTP | 39 | 54 | 15 | 700 | Non Singular String Literal Domain | ||
| #3297 | Soumettre.fr | 39 | 130 | 26 | 10k+ | Text Domain Mismatch | ||
| #3298 | Stock Ticker | 39 | 92 | 49 | 2k+ | Output is not escaped | ||
| #3299 | Stockdio Historical Chart | 39 | 65 | 16 | 800 | Output is not escaped | ||
| #3300 | Store Locator for WordPress📍 | 39 | 100 | 36 | 1k+ | Missing Arg Domain |