missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3451 | Internal Linking of Related Contents | 40 | 714 | 47 | 1k+ | Output is not escaped | ||
| #3452 | Invite Anyone | 40 | 32 | 130 | 1k+ | Non-prefixed hook name | ||
| #3453 | Quotes Addon for GetPaid | 40 | 191 | 21 | 700 | Text Domain Mismatch | ||
| #3454 | JSM Show Order Metadata for WooCommerce HPOS | 40 | 17 | 64 | 700 | Nonce verification recommended | ||
| #3455 | JSM Show Post Metadata | 40 | 15 | 66 | 10k+ | Nonce verification recommended | ||
| #3456 | JSM Show Term Metadata | 40 | 14 | 64 | 800 | Nonce verification recommended | ||
| #3457 | JSM Show User Metadata | 40 | 14 | 64 | 3k+ | Nonce verification recommended | ||
| #3458 | La Sentinelle antispam | 40 | 88 | 46 | 3k+ | Output is not escaped | ||
| #3459 | Flag Icons | 40 | 300 | 19 | 3k+ | Output is not escaped | ||
| #3460 | Social Like Box and Page by WpDevArt | 40 | 62 | 24 | 5k+ | Output is not escaped | ||
| #3461 | Limit Login Attempts | 40 | 81 | 38 | 300k+ | Output is not escaped | ||
| #3462 | Links shortcode | 40 | 73 | 13 | 900 | Unsafe printing function | ||
| #3463 | WP All Import – Listings Import for Listify | 40 | 34 | 27 | 400 | Output is not escaped | ||
| #3464 | LJ Multi Column Archive | 40 | 17 | 25 | 1k+ | Output is not escaped | ||
| #3465 | Loan Comparison | 40 | 27 | 192 | 400 | Request data is not unslashed | ||
| #3466 | Logbook | 40 | 33 | 59 | 1k+ | Nonce verification recommended | ||
| #3467 | WPO365 | Mail Integration for Office 365 / Outlook | 40 | 59 | 27 | 2k+ | Output is not escaped | ||
| #3468 | MailerSend – Official SMTP Integration | 40 | 39 | 25 | 2k+ | Unsafe printing function | ||
| #3469 | Manual Image Crop | 40 | 178 | 61 | 8k+ | Output is not escaped | ||
| #3470 | Mark New Posts | 40 | 61 | 39 | 500 | Non Singular String Literal Domain | ||
| #3471 | MAS Company Reviews For WP Job Manager | 40 | 44 | 71 | 1k+ | Output is not escaped | ||
| #3472 | Mass Email To Users | 40 | 84 | 81 | 800 | Output is not escaped | ||
| #3473 | MembershipWorks – Membership, Events & Directory | 40 | 41 | 29 | 2k+ | Output is not escaped | ||
| #3474 | WP Mobile Redirect | 40 | 44 | 20 | 400 | Text Domain Mismatch | ||
| #3475 | Monkeyman Rewrite Analyzer | 40 | 89 | 10 | 2k+ | Non Singular String Literal Domain | ||
| #3476 | 코드엠샵 소셜톡 | 40 | 47 | 36 | 400 | Output is not escaped | ||
| #3477 | Multiple Featured Images | 40 | 50 | 22 | 5k+ | Output is not escaped | ||
| #3478 | Flying Images: Optimize and Lazy Load Images for Faster Page Speed | 40 | 32 | 58 | 3k+ | Missing direct file access protection | ||
| #3479 | NextGEN Gallery Sidebar Widget | 40 | 59 | 10 | 500 | Output is not escaped | ||
| #3480 | No-Bot Registration | 40 | 112 | 42 | 2k+ | Unsafe printing function | ||
| #3481 | No CAPTCHA reCAPTCHA | 40 | 112 | 26 | 4k+ | Text Domain Mismatch | ||
| #3482 | One Click SSL | 40 | 136 | 62 | 10k+ | Unsafe printing function | ||
| #3483 | OPML Importer | 40 | 35 | 13 | 3k+ | Output is not escaped | ||
| #3484 | Owl Carousel WP | 40 | 62 | 19 | 1k+ | Output is not escaped | ||
| #3485 | Page As Subdomain Lite | 40 | 61 | 25 | 500 | Output is not escaped | ||
| #3486 | Page Comments Off Please | 40 | 17 | 29 | 1k+ | Nonce verification recommended | ||
| #3487 | Donations via PayPal | 40 | 143 | 17 | 20k+ | Output is not escaped | ||
| #3488 | PE Recent Posts | 40 | 292 | 11 | 2k+ | Output is not escaped | ||
| #3489 | Permalink Editor | 40 | 50 | 28 | 1k+ | Output is not escaped | ||
| #3490 | Permalink Manager for WooCommerce | 40 | 115 | 20 | 8k+ | Short PHP open tag found | ||
| #3491 | List Petfinder Pets | 40 | 121 | 46 | 400 | Output is not escaped | ||
| #3492 | Pixel Tag Manager for WooCommerce – Google Analytics 4, Google Ads, and More Pixels | 40 | 69 | 228 | 3k+ | Missing nonce verification | ||
| #3493 | Popup addon for Ninja Forms | 40 | 121 | 25 | 1k+ | Output is not escaped | ||
| #3494 | Post Tiles | 40 | 46 | 5 | 400 | Output is not escaped | ||
| #3495 | Requirements Checklist | 40 | 200 | 22 | 900 | Output is not escaped | ||
| #3496 | Private Google Calendars | 40 | 227 | 37 | 1k+ | Output is not escaped | ||
| #3497 | Privilege Widget | 40 | 139 | 52 | 600 | Text Domain Mismatch | ||
| #3498 | Product Video Gallery for Woocommerce | 40 | 61 | 36 | 10k+ | Setting is missing a sanitization callback | ||
| #3499 | PT Theme Addon | 40 | 67 | 21 | 1k+ | Output is not escaped | ||
| #3500 | Quick Child Theme Generator | 40 | 22 | 74 | 900 | Request data is not unslashed |