missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3651Featured Image Generator4131161k+Output is not escaped
#3652FluentAffiliate – Affiliate Program Management Suite, Affiliates Manager41115141k+Exception output is not escaped
#3653Genesis Footer Builder4112431k+Output is not escaped
#3654Google Authenticator41396520k+Output is not escaped
#3655(Simply) Guest Author Name4135362k+Output is not escaped
#3656Hash Form – Drag & Drop Form Builder4192753k+Non-prefixed global variable
#3657Hide My Dates415011400Unsafe printing function
#3658Hide WP Admin Login412339500Nonce verification recommended
#3659Highcompress Image Compressor4110669600Text Domain Mismatch
#3660iCount Payment Gateway4115322500Text Domain Mismatch
#3661Import external attachments4118262k+Output is not escaped
#3662Inpost Paczkomaty4135688k+Text Domain Mismatch
#3663Insert JavaScript and CSS416419400Text Domain Mismatch
#3664Jellyfish Counter Widget4117451k+Output is not escaped
#3665jQuery Vertical Scroller411104400Output is not escaped
#3666Ko-fi Button4175155k+Output is not escaped
#3667Central Color Palette41733310k+Output is not escaped
#3668Lazy Load Optimizer4163263k+Unsafe printing function
#3669LH Agree to Terms415932800Output is not escaped
#3670Lockdown WP Admin41205010k+Request data is not unslashed
#3671MaxSlider4121457k+Output is not escaped
#3672Media Grid4142442k+Missing Arg Domain
#3673Meks Flexible Shortcodes41133110k+Unsafe printing function
#3674Mihdan: Yandex Turbo Feed4165391k+Output is not escaped
#3675Most Popular Categories41672600Output is not escaped
#3676MouseWheel Smooth Scroll411047100k+Text Domain Mismatch
#3677MS Custom Login411176900Unsafe printing function
#3678Multiple Domain41421710k+Output is not escaped
#3679My Wp Brand – Hide menu & Hide Plugin4174502k+Non Singular String Literal Domain
#3680Native Emoji4154375k+Unsafe printing function
#3681Nepali Date Utilities4151151k+date date
#3682Social Login4181105k+Input is not sanitized
#3683OSS Aliyun4119404k+Request data is not unslashed
#3684Page Specific Menu Items4178192k+Output is not escaped
#3685Pages In Widgets4113163k+Output is not escaped
#3686Passwordless Login4140241k+Output is not escaped
#3687المنتور فارسی41195440k+Nonce verification recommended
#3688Personalize Login414784500Nonce verification recommended
#3689Post Cloner4125151k+Text Domain Mismatch
#3690Posts 2 Posts41427310k+Non Singular String Literal Domain
#3691Posts Viewed Recently415816700Output is not escaped
#3692Powie's WHOIS Domain Check413811500Unsafe printing function
#3693Preload LCP Image41110314k+Unsafe printing function
#3694Pricing Table For WPBakery Page Builder411307600Output is not escaped
#3695Recurring PayPal Donations414847800Text Domain Mismatch
#3696wpSUBpages Redirect412427600Output is not escaped
#3697Responsive Lightbox41681010k+Output is not escaped
#3698Revision Control41602840k+Output is not escaped
#3699Revisionize4154244k+Output is not escaped
#3700Send link to friend418147400Output is not escaped