missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3501 | Quick Child Theme Generator | 40 | 22 | 74 | 900 | Request data is not unslashed | ||
| #3502 | Quiz Cat – WordPress Quiz Plugin | 40 | 151 | 69 | 4k+ | Output is not escaped | ||
| #3503 | Random Banner | 40 | 59 | 125 | 1k+ | Output is not escaped | ||
| #3504 | Redirector | 40 | 48 | 32 | 7k+ | Output is not escaped | ||
| #3505 | Manual Related Posts | 40 | 51 | 32 | 1k+ | Output is not escaped | ||
| #3506 | Rename default post Labels | 40 | 54 | 36 | 600 | Text Domain Mismatch | ||
| #3507 | Responsive Plus – Elementor Templates & Starter Sites | 40 | 46 | 305 | 10k+ | Non-prefixed global variable | ||
| #3508 | Responsive Full Width Background Slider | 40 | 131 | 22 | 2k+ | Unsafe printing function | ||
| #3509 | Responsive Gallery Grid | 40 | 90 | 14 | 4k+ | Output is not escaped | ||
| #3510 | Responsive Sidebar | 40 | 43 | 12 | 700 | Output is not escaped | ||
| #3511 | Responsive Slider | 40 | 28 | 15 | 3k+ | Output is not escaped | ||
| #3512 | LazyLoad Plugin – Lazy Load Images, Videos, and Iframes | 40 | 31 | 17 | 100k+ | Output is not escaped | ||
| #3513 | RPB Chessboard | 40 | 86 | 98 | 1k+ | Missing direct file access protection | ||
| #3514 | Sales Tax Reports For WooCommerce | 40 | 50 | 65 | 900 | Output is not escaped | ||
| #3515 | Schedule Posts Calendar | 40 | 74 | 36 | 1k+ | Output is not escaped | ||
| #3516 | Search with Typesense | 40 | 81 | 122 | 700 | Non-prefixed global variable | ||
| #3517 | Secondary Title | 40 | 117 | 31 | 7k+ | Unsafe printing function | ||
| #3518 | Select All Categories and Taxonomies, Change Checkbox to Radio Buttons | 40 | 116 | 30 | 3k+ | Output is not escaped | ||
| #3519 | Select Post Export | 40 | 51 | 18 | 500 | Output is not escaped | ||
| #3520 | Sendy Widget | 40 | 46 | 17 | 700 | Output is not escaped | ||
| #3521 | Serviceform Pixel | 40 | 18 | 22 | 400 | Output is not escaped | ||
| #3522 | Multipage | 40 | 72 | 28 | 900 | Unsafe printing function | ||
| #3523 | Simple Statistics for Feeds | 40 | 64 | 131 | 800 | Nonce verification recommended | ||
| #3524 | AdFlow – Easy Google AdSense Integration | 40 | 150 | 9 | 3k+ | Unsafe printing function | ||
| #3525 | Simple Link List Widget | 40 | 129 | 8 | 2k+ | Output is not escaped | ||
| #3526 | Simple Page Sidebars | 40 | 55 | 65 | 10k+ | Output is not escaped | ||
| #3527 | Simple Restrict | 40 | 35 | 13 | 1k+ | Output is not escaped | ||
| #3528 | Sinatra Core | 40 | 101 | 15 | 8k+ | Output is not escaped | ||
| #3529 | SportsPress for Cricket | 40 | 122 | 34 | 500 | Text Domain Mismatch | ||
| #3530 | ST Demo Importer | 40 | 27 | 75 | 800 | Missing nonce verification | ||
| #3531 | Developer Tools Blocker | 40 | 35 | 47 | 400 | strip tags strip tags | ||
| #3532 | Tealium | 40 | 73 | 19 | 600 | Unsafe printing function | ||
| #3533 | Theme Toolkit | 40 | 53 | 14 | 500 | Output is not escaped | ||
| #3534 | Theme and plugin translation for Polylang (TTfP) | 40 | 102 | 62 | 10k+ | Text Domain Mismatch | ||
| #3535 | Thin Out Revisions | 40 | 93 | 35 | 800 | Non Singular String Literal Domain | ||
| #3536 | Timed Content | 40 | 76 | 63 | 5k+ | Unsafe printing function | ||
| #3537 | Track Geolocation Of Users Using Contact Form 7 | 40 | 17 | 173 | 900 | Nonce verification recommended | ||
| #3538 | Tumblr Widget | 40 | 106 | 1 | 400 | Output is not escaped | ||
| #3539 | turboSMTP | 40 | 114 | 112 | 400 | Unsafe printing function | ||
| #3540 | TW Recent Posts Widget | 40 | 97 | 14 | 1k+ | Output is not escaped | ||
| #3541 | Ultimate Custom Cursor | 40 | 138 | 3 | 800 | Output is not escaped | ||
| #3542 | Ultimate Dashboard – Custom WordPress Dashboard | 40 | 17 | 144 | 60k+ | Input is not sanitized | ||
| #3543 | Ultimate Noindex Nofollow Tool II | 40 | 38 | 51 | 3k+ | Input is not validated | ||
| #3544 | Universal Honey Pot | 40 | 23 | 94 | 1k+ | Missing nonce verification | ||
| #3545 | Unlimited Logo Carousel | 40 | 286 | 15 | 500 | Text Domain Mismatch | ||
| #3546 | Url Rewrite Analyzer | 40 | 73 | 23 | 400 | Unsafe printing function | ||
| #3547 | UsersWP – ReCaptcha | 40 | 80 | 17 | 3k+ | Text Domain Mismatch | ||
| #3548 | Visibility Control for LearnDash | 40 | 55 | 23 | 1k+ | Missing Arg Domain | ||
| #3549 | Visibility Control for LearnPress | 40 | 52 | 19 | 700 | Missing Arg Domain | ||
| #3550 | Visual Builder for Contact Form 7 | 40 | 20 | 43 | 500 | Output is not escaped |