missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3401 | Complete Image Sitemap | 40 | 55 | 18 | 1k+ | Output is not escaped | ||
| #3402 | Conditional WooCommerce Checkout Field | 40 | 84 | 22 | 400 | Unsafe printing function | ||
| #3403 | Contact Form 7 GetResponse Extension | 40 | 90 | 18 | 1k+ | Text Domain Mismatch | ||
| #3404 | Contact Form 7 Multi-Step Forms | 40 | 65 | 41 | 50k+ | Output is not escaped | ||
| #3405 | Database Addon for Contact Form 7 – CFDB7 | 40 | 35 | 56 | 600k+ | Nonce verification recommended | ||
| #3406 | Free Cookie Notice & Consent Banner for Privacy Compliance (GDPR, CCPA, DSGVO and others) | 40 | 39 | 15 | 6k+ | Missing direct file access protection | ||
| #3407 | Copyscape Premium | 40 | 148 | 133 | 800 | SQL query is not prepared | ||
| #3408 | Corona Virus Data | 40 | 279 | 27 | 1k+ | Unsafe printing function | ||
| #3409 | Crisp – Live Chat and Chatbot | 40 | 24 | 20 | 20k+ | Unsafe printing function | ||
| #3410 | Cron Logger | 40 | 49 | 36 | 1k+ | Output is not escaped | ||
| #3411 | Cryptocurrency Widgets Pack | 40 | 222 | 52 | 700 | Unsafe printing function | ||
| #3412 | Crypto Price Widgets – CryptoWP | 40 | 103 | 43 | 600 | Output is not escaped | ||
| #3413 | Custom Simple Rss | 40 | 73 | 130 | 2k+ | Nonce verification recommended | ||
| #3414 | Dashboard Welcome for Beaver Builder | 40 | 38 | 24 | 2k+ | Output is not escaped | ||
| #3415 | Delete Me | 40 | 116 | 17 | 7k+ | Output is not escaped | ||
| #3416 | Donation Thermometer | 40 | 324 | 88 | 2k+ | Output is not escaped | ||
| #3417 | Duplicate Page | 40 | 39 | 43 | 3m+ | Unsafe printing function | ||
| #3418 | Easy Document Embedder – Embed Word, excel, Powerpoint, Pdf file and more.. | 40 | 55 | 27 | 500 | Output is not escaped | ||
| #3419 | Easy Image Collage | 40 | 96 | 18 | 4k+ | Unsafe printing function | ||
| #3420 | Easy Textillate | 40 | 63 | 12 | 1k+ | Unsafe printing function | ||
| #3421 | Contact Form 7 styler for Elementor Page Builder | 40 | 126 | 10 | 900 | Unsafe printing function | ||
| #3422 | Enhanced Custom Permalinks | 40 | 51 | 82 | 1k+ | Nonce verification recommended | ||
| #3423 | Eventer | 40 | 61 | 55 | 1k+ | Output is not escaped | ||
| #3424 | Expiring Posts | 40 | 52 | 20 | 900 | Missing Arg Domain | ||
| #3425 | Export Post Info | 40 | 66 | 3 | 1k+ | Unsafe printing function | ||
| #3426 | Fan Page Widget by ThemeNcode | 40 | 108 | 3 | 1k+ | Output is not escaped | ||
| #3427 | FameTheme Demo Importer | 40 | 8 | 74 | 30k+ | Nonce verification recommended | ||
| #3428 | FAQ Schema – Accordion, Tab, Slider & Gutenberg Block | 40 | 253 | 46 | 2k+ | Output is not escaped | ||
| #3429 | Far Future Expiry Header | 40 | 25 | 36 | 7k+ | Request data is not unslashed | ||
| #3430 | Fast User Switching | 40 | 28 | 28 | 2k+ | Output is not escaped | ||
| #3431 | Featured Post | 40 | 36 | 18 | 800 | Output is not escaped | ||
| #3432 | Flamingo | 40 | 15 | 228 | 800k+ | Nonce verification recommended | ||
| #3433 | Flying Scripts: Delay JavaScript to Improve Site Speed & Performance | 40 | 23 | 44 | 30k+ | Missing direct file access protection | ||
| #3434 | FlyWP Helper – Page Cache, Page Optimization, Emails for FlyWP Server Control Panel | 40 | 20 | 81 | 4k+ | Non-prefixed global variable | ||
| #3435 | Full Background Manager | 40 | 37 | 24 | 7k+ | Output is not escaped | ||
| #3436 | Fusion Page Builder | 40 | 34 | 100 | 3k+ | Input is not validated | ||
| #3437 | Analytics Germanized for Google Analytics (GDPR / DSGVO) | 40 | 49 | 14 | 7k+ | Output is not escaped | ||
| #3438 | Osom Author Pro | 40 | 83 | 22 | 1k+ | Output is not escaped | ||
| #3439 | Get Cash | 40 | 84 | 49 | 500 | Non Singular String Literal Domain | ||
| #3440 | GetPaid > Item Inventory | 40 | 112 | 52 | 400 | Text Domain Mismatch | ||
| #3441 | Gravity Forms Data Persistence Add-On Reloaded | 40 | 14 | 38 | 700 | Input is not sanitized | ||
| #3442 | Header Footer Custom Html | 40 | 95 | 22 | 1k+ | Unsafe printing function | ||
| #3443 | heatmap for WordPress – Realtime analytics | 40 | 94 | 15 | 1k+ | Non Singular String Literal Domain | ||
| #3444 | Hostinger Reach – AI-Powered Email Marketing for WordPress | 40 | 9 | 45 | 1m+ | Direct Query | ||
| #3445 | I Agree! Popups | 40 | 54 | 46 | 600 | Output is not escaped | ||
| #3446 | iCalendrier | 40 | 65 | 7 | 700 | Output is not escaped | ||
| #3447 | If Widget – Visibility control for Widgets | 40 | 99 | 25 | 1k+ | Unsafe printing function | ||
| #3448 | IFrame Widget | 40 | 87 | 1 | 500 | Output is not escaped | ||
| #3449 | Image Editor by Pixo | 40 | 126 | 66 | 800 | Output is not escaped | ||
| #3450 | Interactive US Map | 40 | 136 | 54 | 400 | Text Domain Mismatch |