missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3651 | Featured Image Generator | 41 | 31 | 16 | 1k+ | Output is not escaped | ||
| #3652 | FluentAffiliate – Affiliate Program Management Suite, Affiliates Manager | 41 | 115 | 14 | 1k+ | Exception output is not escaped | ||
| #3653 | Genesis Footer Builder | 41 | 124 | 3 | 1k+ | Output is not escaped | ||
| #3654 | Google Authenticator | 41 | 39 | 65 | 20k+ | Output is not escaped | ||
| #3655 | (Simply) Guest Author Name | 41 | 35 | 36 | 2k+ | Output is not escaped | ||
| #3656 | Hash Form – Drag & Drop Form Builder | 41 | 9 | 275 | 3k+ | Non-prefixed global variable | ||
| #3657 | Hide My Dates | 41 | 50 | 11 | 400 | Unsafe printing function | ||
| #3658 | Hide WP Admin Login | 41 | 23 | 39 | 500 | Nonce verification recommended | ||
| #3659 | Highcompress Image Compressor | 41 | 106 | 69 | 600 | Text Domain Mismatch | ||
| #3660 | iCount Payment Gateway | 41 | 153 | 22 | 500 | Text Domain Mismatch | ||
| #3661 | Import external attachments | 41 | 18 | 26 | 2k+ | Output is not escaped | ||
| #3662 | Inpost Paczkomaty | 41 | 35 | 68 | 8k+ | Text Domain Mismatch | ||
| #3663 | Insert JavaScript and CSS | 41 | 64 | 19 | 400 | Text Domain Mismatch | ||
| #3664 | Jellyfish Counter Widget | 41 | 174 | 5 | 1k+ | Output is not escaped | ||
| #3665 | jQuery Vertical Scroller | 41 | 110 | 4 | 400 | Output is not escaped | ||
| #3666 | Ko-fi Button | 41 | 75 | 15 | 5k+ | Output is not escaped | ||
| #3667 | Central Color Palette | 41 | 73 | 33 | 10k+ | Output is not escaped | ||
| #3668 | Lazy Load Optimizer | 41 | 63 | 26 | 3k+ | Unsafe printing function | ||
| #3669 | LH Agree to Terms | 41 | 59 | 32 | 800 | Output is not escaped | ||
| #3670 | Lockdown WP Admin | 41 | 20 | 50 | 10k+ | Request data is not unslashed | ||
| #3671 | MaxSlider | 41 | 21 | 45 | 7k+ | Output is not escaped | ||
| #3672 | Media Grid | 41 | 42 | 44 | 2k+ | Missing Arg Domain | ||
| #3673 | Meks Flexible Shortcodes | 41 | 133 | 1 | 10k+ | Unsafe printing function | ||
| #3674 | Mihdan: Yandex Turbo Feed | 41 | 65 | 39 | 1k+ | Output is not escaped | ||
| #3675 | Most Popular Categories | 41 | 67 | 2 | 600 | Output is not escaped | ||
| #3676 | MouseWheel Smooth Scroll | 41 | 104 | 7 | 100k+ | Text Domain Mismatch | ||
| #3677 | MS Custom Login | 41 | 117 | 6 | 900 | Unsafe printing function | ||
| #3678 | Multiple Domain | 41 | 42 | 17 | 10k+ | Output is not escaped | ||
| #3679 | My Wp Brand – Hide menu & Hide Plugin | 41 | 74 | 50 | 2k+ | Non Singular String Literal Domain | ||
| #3680 | Native Emoji | 41 | 54 | 37 | 5k+ | Unsafe printing function | ||
| #3681 | Nepali Date Utilities | 41 | 51 | 15 | 1k+ | date date | ||
| #3682 | Social Login | 41 | 8 | 110 | 5k+ | Input is not sanitized | ||
| #3683 | OSS Aliyun | 41 | 19 | 40 | 4k+ | Request data is not unslashed | ||
| #3684 | Page Specific Menu Items | 41 | 78 | 19 | 2k+ | Output is not escaped | ||
| #3685 | Pages In Widgets | 41 | 131 | 6 | 3k+ | Output is not escaped | ||
| #3686 | Passwordless Login | 41 | 40 | 24 | 1k+ | Output is not escaped | ||
| #3687 | المنتور فارسی | 41 | 19 | 54 | 40k+ | Nonce verification recommended | ||
| #3688 | Personalize Login | 41 | 47 | 84 | 500 | Nonce verification recommended | ||
| #3689 | Post Cloner | 41 | 25 | 15 | 1k+ | Text Domain Mismatch | ||
| #3690 | Posts 2 Posts | 41 | 42 | 73 | 10k+ | Non Singular String Literal Domain | ||
| #3691 | Posts Viewed Recently | 41 | 58 | 16 | 700 | Output is not escaped | ||
| #3692 | Powie's WHOIS Domain Check | 41 | 38 | 11 | 500 | Unsafe printing function | ||
| #3693 | Preload LCP Image | 41 | 110 | 31 | 4k+ | Unsafe printing function | ||
| #3694 | Pricing Table For WPBakery Page Builder | 41 | 130 | 7 | 600 | Output is not escaped | ||
| #3695 | Recurring PayPal Donations | 41 | 48 | 47 | 800 | Text Domain Mismatch | ||
| #3696 | wpSUBpages Redirect | 41 | 24 | 27 | 600 | Output is not escaped | ||
| #3697 | Responsive Lightbox | 41 | 68 | 10 | 10k+ | Output is not escaped | ||
| #3698 | Revision Control | 41 | 60 | 28 | 40k+ | Output is not escaped | ||
| #3699 | Revisionize | 41 | 54 | 24 | 4k+ | Output is not escaped | ||
| #3700 | Send link to friend | 41 | 81 | 47 | 400 | Output is not escaped |