missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3301Structured Content (JSON-LD) #wpsc392917340k+Output is not escaped
#3302Substack Importer3933331k+Missing nonce verification
#3303Swifty Image Widget3911428900Output is not escaped
#3304Sydney Toolbox39846250k+Unsafe printing function
#3305Sync Post With Other Site39179213k+Non Singular String Literal Domain
#3306Tabify Edit Screen398327500Output is not escaped
#3307Easy Category Icons395043600Text Domain Mismatch
#3308ThemeKit For WordPress3914949700Output is not escaped
#3309OpenHook39172221k+Unsafe printing function
#3310TinyMCE Custom Styles39297767k+Non Singular String Literal Domain
#3311TinyMCE Spellcheck3927322k+Unsafe printing function
#3312UiChemy — Figma Converter for Elementor, Gutenberg and Bricks3981009k+Nonce verification recommended
#3313Ultimate Client Dash39697122k+Text Domain Mismatch
#3314Ultimate Lightbox39110591k+Unsafe printing function
#3315Universal Google Adsense and Ads manager3970312k+Unsafe printing function
#3316Unlimited Background Slider396653600Output is not escaped
#3317upPrev3935361k+Dynamic hook name
#3318Uptolike Social Share Buttons3938334k+Output is not escaped
#3319User Blocker3962763k+Nonce verification recommended
#3320UserHeat Plugin39121206k+Non Singular String Literal Domain
#3321Accessibility by UserWay39223580k+Direct Query
#3322Smart Variation Swatches and Attribute Filters for WooCommerce3939503k+Output is not escaped
#3323Video Blogster Lite392980700Missing nonce verification
#3324Visual Portfolio, Photo Gallery & Post Grid393418960k+Non-prefixed hook name
#3325Payments via PayMongo for WooCommerce3936811k+Nonce verification recommended
#3326Smart COD for WooCommerce39502830k+Output is not escaped
#3327WebHotelier for WordPress3945140500Text Domain Mismatch
#3328Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types398911720k+Unsafe printing function
#3329Woo Button Text395321500Output is not escaped
#3330Lucky Wheel for WooCommerce – Spin a Sale39121531k+Request data is not unslashed
#3331PayU GPO Payment for WooCommerce39449110k+Output is not escaped
#3332Modal Fly Cart & AJAX Add to Cart for WooCommerce3983742k+Text Domain Mismatch
#3333WooCommerce Product Dependencies3944603k+Missing nonce verification
#3334Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools39322668k+Output is not escaped
#3335WP Accessibility3920010460k+Unsafe printing function
#3336WP Add Custom CSS39452360k+Output is not escaped
#3337Aparat for WordPress3959143k+Output is not escaped
#3338WP Attachments3949443k+Output is not escaped
#3339WP-Cycle3953173k+Output is not escaped
#3340WP Gmail SMTP3999501k+Text Domain Mismatch
#3341WP Limit Login Attempts39266710k+Direct Query
#3342WP Most Popular3950352k+Output is not escaped
#3343WP Multibyte Patch3924551m+Input is not sanitized
#3344WP Performance Score Booster – Optimize Speed, Enable Cache & Page Preload39592710k+Unsafe printing function
#3345WP Realtime Sitemap39464110k+Output is not escaped
#3346WP SendGrid SMTP3999501k+Text Domain Mismatch
#3347WP Sitemap Control393137400Output is not escaped
#3348WP Sitemaps Config398837700Output is not escaped
#3349WP-Slimbox2 Plugin3977193k+Unsafe printing function
#3350WP Social Widget3923974k+Output is not escaped