missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3401Complete Image Sitemap4055181k+Output is not escaped
#3402Conditional WooCommerce Checkout Field408422400Unsafe printing function
#3403Contact Form 7 GetResponse Extension4090181k+Text Domain Mismatch
#3404Contact Form 7 Multi-Step Forms40654150k+Output is not escaped
#3405Database Addon for Contact Form 7 – CFDB7403556600k+Nonce verification recommended
#3406Free Cookie Notice & Consent Banner for Privacy Compliance (GDPR, CCPA, DSGVO and others)4039156k+Missing direct file access protection
#3407Copyscape Premium40148133800SQL query is not prepared
#3408Corona Virus Data40279271k+Unsafe printing function
#3409Crisp – Live Chat and Chatbot40242020k+Unsafe printing function
#3410Cron Logger4049361k+Output is not escaped
#3411Cryptocurrency Widgets Pack4022252700Unsafe printing function
#3412Crypto Price Widgets – CryptoWP4010343600Output is not escaped
#3413Custom Simple Rss40731302k+Nonce verification recommended
#3414Dashboard Welcome for Beaver Builder4038242k+Output is not escaped
#3415Delete Me40116177k+Output is not escaped
#3416Donation Thermometer40324882k+Output is not escaped
#3417Duplicate Page4039433m+Unsafe printing function
#3418Easy Document Embedder – Embed Word, excel, Powerpoint, Pdf file and more..405527500Output is not escaped
#3419Easy Image Collage4096184k+Unsafe printing function
#3420Easy Textillate4063121k+Unsafe printing function
#3421Contact Form 7 styler for Elementor Page Builder4012610900Unsafe printing function
#3422Enhanced Custom Permalinks4051821k+Nonce verification recommended
#3423Eventer4061551k+Output is not escaped
#3424Expiring Posts405220900Missing Arg Domain
#3425Export Post Info406631k+Unsafe printing function
#3426Fan Page Widget by ThemeNcode4010831k+Output is not escaped
#3427FameTheme Demo Importer4087430k+Nonce verification recommended
#3428FAQ Schema – Accordion, Tab, Slider & Gutenberg Block40253462k+Output is not escaped
#3429Far Future Expiry Header4025367k+Request data is not unslashed
#3430Fast User Switching4028282k+Output is not escaped
#3431Featured Post403618800Output is not escaped
#3432Flamingo4015228800k+Nonce verification recommended
#3433Flying Scripts: Delay JavaScript to Improve Site Speed & Performance40234430k+Missing direct file access protection
#3434FlyWP Helper – Page Cache, Page Optimization, Emails for FlyWP Server Control Panel4020814k+Non-prefixed global variable
#3435Full Background Manager4037247k+Output is not escaped
#3436Fusion Page Builder40341003k+Input is not validated
#3437Analytics Germanized for Google Analytics (GDPR / DSGVO)4049147k+Output is not escaped
#3438Osom Author Pro4083221k+Output is not escaped
#3439Get Cash408449500Non Singular String Literal Domain
#3440GetPaid > Item Inventory4011252400Text Domain Mismatch
#3441Gravity Forms Data Persistence Add-On Reloaded401438700Input is not sanitized
#3442Header Footer Custom Html4095221k+Unsafe printing function
#3443heatmap for WordPress – Realtime analytics4094151k+Non Singular String Literal Domain
#3444Hostinger Reach – AI-Powered Email Marketing for WordPress409451m+Direct Query
#3445I Agree! Popups405446600Output is not escaped
#3446iCalendrier40657700Output is not escaped
#3447If Widget – Visibility control for Widgets4099251k+Unsafe printing function
#3448IFrame Widget40871500Output is not escaped
#3449Image Editor by Pixo4012666800Output is not escaped
#3450Interactive US Map4013654400Text Domain Mismatch