missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3501Quick Child Theme Generator402274900Request data is not unslashed
#3502Quiz Cat – WordPress Quiz Plugin40151694k+Output is not escaped
#3503Random Banner40591251k+Output is not escaped
#3504Redirector4048327k+Output is not escaped
#3505Manual Related Posts4051321k+Output is not escaped
#3506Rename default post Labels405436600Text Domain Mismatch
#3507Responsive Plus – Elementor Templates & Starter Sites404630510k+Non-prefixed global variable
#3508Responsive Full Width Background Slider40131222k+Unsafe printing function
#3509Responsive Gallery Grid4090144k+Output is not escaped
#3510Responsive Sidebar404312700Output is not escaped
#3511Responsive Slider4028153k+Output is not escaped
#3512LazyLoad Plugin – Lazy Load Images, Videos, and Iframes403117100k+Output is not escaped
#3513RPB Chessboard4086981k+Missing direct file access protection
#3514Sales Tax Reports For WooCommerce405065900Output is not escaped
#3515Schedule Posts Calendar4074361k+Output is not escaped
#3516Search with Typesense4081122700Non-prefixed global variable
#3517Secondary Title40117317k+Unsafe printing function
#3518Select All Categories and Taxonomies, Change Checkbox to Radio Buttons40116303k+Output is not escaped
#3519Select Post Export405118500Output is not escaped
#3520Sendy Widget404617700Output is not escaped
#3521Serviceform Pixel401822400Output is not escaped
#3522Multipage407228900Unsafe printing function
#3523Simple Statistics for Feeds4064131800Nonce verification recommended
#3524AdFlow – Easy Google AdSense Integration4015093k+Unsafe printing function
#3525Simple Link List Widget4012982k+Output is not escaped
#3526Simple Page Sidebars40556510k+Output is not escaped
#3527Simple Restrict4035131k+Output is not escaped
#3528Sinatra Core40101158k+Output is not escaped
#3529SportsPress for Cricket4012234500Text Domain Mismatch
#3530ST Demo Importer402775800Missing nonce verification
#3531Developer Tools Blocker403547400strip tags strip tags
#3532Tealium407319600Unsafe printing function
#3533Theme Toolkit405314500Output is not escaped
#3534Theme and plugin translation for Polylang (TTfP)401026210k+Text Domain Mismatch
#3535Thin Out Revisions409335800Non Singular String Literal Domain
#3536Timed Content4076635k+Unsafe printing function
#3537Track Geolocation Of Users Using Contact Form 74017173900Nonce verification recommended
#3538Tumblr Widget401061400Output is not escaped
#3539turboSMTP40114112400Unsafe printing function
#3540TW Recent Posts Widget4097141k+Output is not escaped
#3541Ultimate Custom Cursor401383800Output is not escaped
#3542Ultimate Dashboard – Custom WordPress Dashboard401714460k+Input is not sanitized
#3543Ultimate Noindex Nofollow Tool II4038513k+Input is not validated
#3544Universal Honey Pot4023941k+Missing nonce verification
#3545Unlimited Logo Carousel4028615500Text Domain Mismatch
#3546Url Rewrite Analyzer407323400Unsafe printing function
#3547UsersWP – ReCaptcha4080173k+Text Domain Mismatch
#3548Visibility Control for LearnDash4055231k+Missing Arg Domain
#3549Visibility Control for LearnPress405219700Missing Arg Domain
#3550Visual Builder for Contact Form 7402043500Output is not escaped