missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3351Categories to Tags Converter39863850k+Output is not escaped
#3352WPS Child Theme Generator39111856k+Unsafe printing function
#3353Yandex Metrica39924620k+Output is not escaped
#3354YITH Custom Login3986335k+Output is not escaped
#3355You can quote me on that395737400Output is not escaped
#3356Z398469500Output is not escaped
#3357htaccess protect392833800Input is not validated
#3358404 Notifier403941700Output is not escaped
#3359ACF qTranslate40184258k+Output is not escaped
#3360ACF to Custom Database Tables403664600Nonce verification recommended
#3361Add Pinterest conversion tags for Pinterest Ads + Site verification4088261k+Output is not escaped
#3362Add & Replace Affiliate Links for Amazon403952600Output is not escaped
#3363Subscribe Button by AddToAny409347900Output is not escaped
#3364Address Autocomplete Anything409432900Unsafe printing function
#3365Admin Search4031471k+Output is not escaped
#3366Advanced Admin Search407948600Non Singular String Literal Text
#3367Advanced Custom Fields: Font Awesome Field403327090k+Text Domain Mismatch
#3368Advanced WooCommerce Product Gallery Slider4042483k+Non-prefixed global variable
#3369Advanced WPLink4067191k+Text Domain Mismatch
#3370AJAX Thumbnail Rebuild40381430k+Unsafe printing function
#3371Allow Multiple Accounts40115199k+Non Singular String Literal Domain
#3372amCharts: Charts and Maps402631132k+Text Domain Mismatch
#3373Analytics Cat – Google Analytics Made Easy4083276k+Text Domain Mismatch
#3374Animated Live Wall Gallery4027722k+Request data is not unslashed
#3375Athemes Toolbox40254583k+Text Domain Mismatch
#3376Attachment Importer4024763k+Input is not sanitized
#3377Auto Upload Images40621320k+Unsafe printing function
#3378Autocomplete LearnDash Lessons and Topics4046161k+Missing Arg Domain
#3379AutoConvert Greeklish Permalinks401161330k+Text Domain Mismatch
#3380Mastodon Autopost404150700Output is not escaped
#3381Bangladeshi Payment Gateways – Make Payment Using QR Code4040365k+Output is not escaped
#3382Basic Interactive World Map4094541k+Text Domain Mismatch
#3383Better Internal Link Search4023481k+strip tags strip tags
#3384Billingo Official for WooCommerce4025373k+Output is not escaped
#3385Bulk Add Terms407427800Text Domain Mismatch
#3386Bulk Featured Image4069117800Output is not escaped
#3387Bulk Move4085449k+Unsafe printing function
#3388Coming soon Page402418500Text Domain Mismatch
#3389Custom Cart Link for WooCommerce402416700Unsafe printing function
#3390Catalog for Woocommerce4092751k+Output is not escaped
#3391Categories Metabox Enhanced4077361k+Output is not escaped
#3392CC BMI Calculator401357800Output is not escaped
#3393CleverReach Integration for Contact Form 74010343700Text Domain Mismatch
#3394Contact Form 7 to Mailjet407039600Output is not escaped
#3395Classified Ads40136381k+Text Domain Mismatch
#3396Cleaner Gallery404082k+Unsafe printing function
#3397Client Portal – Private user pages and login4052293k+Output is not escaped
#3398Top-Bar CodeBulls409113700Text Domain Mismatch
#3399codoc4019392k+Request data is not unslashed
#3400Complete Image Sitemap4055181k+Output is not escaped