missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3351 | Categories to Tags Converter | 39 | 86 | 38 | 50k+ | Output is not escaped | ||
| #3352 | WPS Child Theme Generator | 39 | 111 | 85 | 6k+ | Unsafe printing function | ||
| #3353 | Yandex Metrica | 39 | 92 | 46 | 20k+ | Output is not escaped | ||
| #3354 | YITH Custom Login | 39 | 86 | 33 | 5k+ | Output is not escaped | ||
| #3355 | You can quote me on that | 39 | 57 | 37 | 400 | Output is not escaped | ||
| #3356 | Z | 39 | 84 | 69 | 500 | Output is not escaped | ||
| #3357 | htaccess protect | 39 | 28 | 33 | 800 | Input is not validated | ||
| #3358 | 404 Notifier | 40 | 39 | 41 | 700 | Output is not escaped | ||
| #3359 | ACF qTranslate | 40 | 184 | 25 | 8k+ | Output is not escaped | ||
| #3360 | ACF to Custom Database Tables | 40 | 36 | 64 | 600 | Nonce verification recommended | ||
| #3361 | Add Pinterest conversion tags for Pinterest Ads + Site verification | 40 | 88 | 26 | 1k+ | Output is not escaped | ||
| #3362 | Add & Replace Affiliate Links for Amazon | 40 | 39 | 52 | 600 | Output is not escaped | ||
| #3363 | Subscribe Button by AddToAny | 40 | 93 | 47 | 900 | Output is not escaped | ||
| #3364 | Address Autocomplete Anything | 40 | 94 | 32 | 900 | Unsafe printing function | ||
| #3365 | Admin Search | 40 | 31 | 47 | 1k+ | Output is not escaped | ||
| #3366 | Advanced Admin Search | 40 | 79 | 48 | 600 | Non Singular String Literal Text | ||
| #3367 | Advanced Custom Fields: Font Awesome Field | 40 | 332 | 70 | 90k+ | Text Domain Mismatch | ||
| #3368 | Advanced WooCommerce Product Gallery Slider | 40 | 42 | 48 | 3k+ | Non-prefixed global variable | ||
| #3369 | Advanced WPLink | 40 | 67 | 19 | 1k+ | Text Domain Mismatch | ||
| #3370 | AJAX Thumbnail Rebuild | 40 | 38 | 14 | 30k+ | Unsafe printing function | ||
| #3371 | Allow Multiple Accounts | 40 | 115 | 19 | 9k+ | Non Singular String Literal Domain | ||
| #3372 | amCharts: Charts and Maps | 40 | 263 | 113 | 2k+ | Text Domain Mismatch | ||
| #3373 | Analytics Cat – Google Analytics Made Easy | 40 | 83 | 27 | 6k+ | Text Domain Mismatch | ||
| #3374 | Animated Live Wall Gallery | 40 | 27 | 72 | 2k+ | Request data is not unslashed | ||
| #3375 | Athemes Toolbox | 40 | 254 | 58 | 3k+ | Text Domain Mismatch | ||
| #3376 | Attachment Importer | 40 | 24 | 76 | 3k+ | Input is not sanitized | ||
| #3377 | Auto Upload Images | 40 | 62 | 13 | 20k+ | Unsafe printing function | ||
| #3378 | Autocomplete LearnDash Lessons and Topics | 40 | 46 | 16 | 1k+ | Missing Arg Domain | ||
| #3379 | AutoConvert Greeklish Permalinks | 40 | 116 | 13 | 30k+ | Text Domain Mismatch | ||
| #3380 | Mastodon Autopost | 40 | 41 | 50 | 700 | Output is not escaped | ||
| #3381 | Bangladeshi Payment Gateways – Make Payment Using QR Code | 40 | 40 | 36 | 5k+ | Output is not escaped | ||
| #3382 | Basic Interactive World Map | 40 | 94 | 54 | 1k+ | Text Domain Mismatch | ||
| #3383 | Better Internal Link Search | 40 | 23 | 48 | 1k+ | strip tags strip tags | ||
| #3384 | Billingo Official for WooCommerce | 40 | 25 | 37 | 3k+ | Output is not escaped | ||
| #3385 | Bulk Add Terms | 40 | 74 | 27 | 800 | Text Domain Mismatch | ||
| #3386 | Bulk Featured Image | 40 | 69 | 117 | 800 | Output is not escaped | ||
| #3387 | Bulk Move | 40 | 85 | 44 | 9k+ | Unsafe printing function | ||
| #3388 | Coming soon Page | 40 | 24 | 18 | 500 | Text Domain Mismatch | ||
| #3389 | Custom Cart Link for WooCommerce | 40 | 24 | 16 | 700 | Unsafe printing function | ||
| #3390 | Catalog for Woocommerce | 40 | 92 | 75 | 1k+ | Output is not escaped | ||
| #3391 | Categories Metabox Enhanced | 40 | 77 | 36 | 1k+ | Output is not escaped | ||
| #3392 | CC BMI Calculator | 40 | 135 | 7 | 800 | Output is not escaped | ||
| #3393 | CleverReach Integration for Contact Form 7 | 40 | 103 | 43 | 700 | Text Domain Mismatch | ||
| #3394 | Contact Form 7 to Mailjet | 40 | 70 | 39 | 600 | Output is not escaped | ||
| #3395 | Classified Ads | 40 | 136 | 38 | 1k+ | Text Domain Mismatch | ||
| #3396 | Cleaner Gallery | 40 | 40 | 8 | 2k+ | Unsafe printing function | ||
| #3397 | Client Portal – Private user pages and login | 40 | 52 | 29 | 3k+ | Output is not escaped | ||
| #3398 | Top-Bar CodeBulls | 40 | 91 | 13 | 700 | Text Domain Mismatch | ||
| #3399 | codoc | 40 | 19 | 39 | 2k+ | Request data is not unslashed | ||
| #3400 | Complete Image Sitemap | 40 | 55 | 18 | 1k+ | Output is not escaped |