missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3601 | Authenticator | 41 | 59 | 44 | 1k+ | Output is not escaped | ||
| #3602 | Avatar Manager | 41 | 29 | 41 | 5k+ | Unsafe printing function | ||
| #3603 | Backend Designer | 41 | 50 | 11 | 1k+ | Output is not escaped | ||
| #3604 | Beam me up Scotty – Back to Top Button | 41 | 71 | 38 | 1k+ | Output is not escaped | ||
| #3605 | Beautiful Cookie Consent Banner | 41 | 33 | 76 | 40k+ | Non-prefixed global variable | ||
| #3606 | Book Now | 41 | 75 | 14 | 1k+ | Output is not escaped | ||
| #3607 | Bop Search Box Item Type For Nav Menus | 41 | 52 | 14 | 1k+ | Output is not escaped | ||
| #3608 | Bulk Delete Comments | 41 | 15 | 61 | 5k+ | Direct Query | ||
| #3609 | Bulk Auto Image Title Attribute (Image Title tag) optimizer (Image SEO) | 41 | 16 | 37 | 1k+ | Missing nonce verification | ||
| #3610 | Bulk Images to Posts | 41 | 55 | 5 | 1k+ | Unsafe printing function | ||
| #3611 | Buzzsprout Podcasting | 41 | 75 | 13 | 5k+ | Non Singular String Literal Domain | ||
| #3612 | Cache control by Cacholong | 41 | 87 | 30 | 500 | Non Singular String Literal Domain | ||
| #3613 | Carbon Copy | 41 | 64 | 89 | 3k+ | Text Domain Mismatch | ||
| #3614 | Easy Social Like Box – Popup – Sidebar Widget | 41 | 217 | 91 | 7k+ | Text Domain Mismatch | ||
| #3615 | Categorized Tag Cloud | 41 | 44 | 17 | 1k+ | Output is not escaped | ||
| #3616 | Category Wise Search | 41 | 58 | 9 | 500 | Output is not escaped | ||
| #3617 | Čeština: zalomení řádků | 41 | 86 | 8 | 6k+ | Text Domain Mismatch | ||
| #3618 | Conditional Fields for Contact Form 7 | 41 | 106 | 53 | 100k+ | Output is not escaped | ||
| #3619 | Submission DOM tracking for Contact Form 7 | 41 | 144 | 8 | 400 | Text Domain Mismatch | ||
| #3620 | Checklist | 41 | 62 | 25 | 400 | Text Domain Mismatch | ||
| #3621 | clickskeks.at Cookiebanner | 41 | 21 | 18 | 500 | Unsafe printing function | ||
| #3622 | Collapsed Archives | 41 | 54 | 4 | 1k+ | Output is not escaped | ||
| #3623 | Colorful Categories | 41 | 20 | 20 | 2k+ | Output is not escaped | ||
| #3624 | Comments Like Dislike | 41 | 172 | 20 | 5k+ | Non Singular String Literal Domain | ||
| #3625 | Contact Form 7 Widget | 41 | 70 | 4 | 2k+ | Output is not escaped | ||
| #3626 | Controlled Admin Access | 41 | 22 | 40 | 10k+ | Nonce verification recommended | ||
| #3627 | CurrencyConverter | 41 | 629 | 6 | 700 | Non Singular String Literal Domain | ||
| #3628 | Custom Meta | 41 | 23 | 29 | 700 | Output is not escaped | ||
| #3629 | Custom Post Type Cleanup | 41 | 70 | 12 | 1k+ | Output is not escaped | ||
| #3630 | Custom Recent Posts Widget | 41 | 63 | 4 | 1k+ | Output is not escaped | ||
| #3631 | Dashboard Notepad | 41 | 29 | 34 | 10k+ | Missing nonce verification | ||
| #3632 | Debug Bar | 41 | 64 | 25 | 20k+ | Output is not escaped | ||
| #3633 | Developer Loggers for Simple History | 41 | 46 | 28 | 400 | Text Domain Mismatch | ||
| #3634 | Dinamize | 41 | 41 | 65 | 500 | Output is not escaped | ||
| #3635 | DigitalOcean Spaces Sync | 41 | 80 | 8 | 500 | Text Domain Mismatch | ||
| #3636 | Dropdown multisite selector | 41 | 82 | 13 | 900 | Unsafe printing function | ||
| #3637 | GDPR tools: Cookie notice + privacy | 41 | 67 | 8 | 6k+ | Unsafe printing function | ||
| #3638 | DSGVO Youtube | 41 | 48 | 29 | 1k+ | Unsafe printing function | ||
| #3639 | Duplicate Post Page Menu & Custom Post Type | 41 | 35 | 11 | 10k+ | Text Domain Mismatch | ||
| #3640 | Easy Random Quotes | 41 | 42 | 14 | 500 | Output is not escaped | ||
| #3641 | Edit Lock | 41 | 47 | 22 | 500 | Non Singular String Literal Domain | ||
| #3642 | Email Address Encoder | 41 | 109 | 8 | 100k+ | wp function not compatible with requires wp | ||
| #3643 | Embed Chessboard | 41 | 103 | 9 | 600 | Text Domain Mismatch | ||
| #3644 | Essential Form – The lightest plugin for contact forms, ultra lightweight and no spam | 41 | 21 | 53 | 500 | Missing nonce verification | ||
| #3645 | Payment Gateway of PayPal for WooCommerce | 41 | 44 | 184 | 7k+ | Nonce verification recommended | ||
| #3646 | Extra User Details | 41 | 84 | 15 | 1k+ | Non Singular String Literal Domain | ||
| #3647 | Heroic Favicon Generator | 41 | 104 | 7 | 6k+ | Output is not escaped | ||
| #3648 | Feature A Page Widget | 41 | 66 | 5 | 3k+ | Output is not escaped | ||
| #3649 | Featured Audio | 41 | 54 | 9 | 400 | Output is not escaped | ||
| #3650 | Featured Image Generator | 41 | 31 | 16 | 1k+ | Output is not escaped |