missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3701 | Share a Draft | 41 | 39 | 6 | 3k+ | Output is not escaped | ||
| #3702 | Simple Cache | 41 | 33 | 59 | 1k+ | Input is not sanitized | ||
| #3703 | Simple CPT | 41 | 280 | 60 | 4k+ | Unsafe printing function | ||
| #3704 | Simple Like Page – Fast & Privacy-Friendly Page Embeds | 41 | 145 | 31 | 10k+ | Output is not escaped | ||
| #3705 | Simple Google Photos Grid | 41 | 48 | 2 | 1k+ | Output is not escaped | ||
| #3706 | IP Ban | 41 | 29 | 39 | 2k+ | Input is not validated | ||
| #3707 | Simple Lightbox | 41 | 21 | 48 | 100k+ | Nonce verification recommended | ||
| #3708 | Simple Restrict | 41 | 34 | 12 | 1k+ | Output is not escaped | ||
| #3709 | Simple Revision Control | 41 | 34 | 43 | 1k+ | Dynamic hook name | ||
| #3710 | Slate Admin Theme | 41 | 121 | 19 | 6k+ | Output is not escaped | ||
| #3711 | Smart User Slug Hider | 41 | 85 | 12 | 3k+ | Output is not escaped | ||
| #3712 | Smooth Scroll Up | 41 | 61 | 10 | 6k+ | Output is not escaped | ||
| #3713 | Smoove connector for Elementor forms | 41 | 22 | 60 | 600 | Nonce verification recommended | ||
| #3714 | SnapScan Payment Gateway | 41 | 33 | 30 | 700 | Output is not escaped | ||
| #3715 | Masonry Widget | 41 | 58 | 11 | 500 | Output is not escaped | ||
| #3716 | TechGasp Sound Master | 41 | 136 | 4 | 500 | Output is not escaped | ||
| #3717 | TechGasp Music Master | 41 | 143 | 4 | 500 | Output is not escaped | ||
| #3718 | Styler for Gravity Forms | 41 | 369 | 2 | 2k+ | Text Domain Mismatch | ||
| #3719 | Taxonomy Converter | 41 | 54 | 24 | 500 | Output is not escaped | ||
| #3720 | Taxonomy Filter | 41 | 143 | 40 | 800 | Output is not escaped | ||
| #3721 | Terms of Service & Privacy Policy Generator | 41 | 99 | 1 | 600 | Output is not escaped | ||
| #3722 | Text Hover | 41 | 44 | 13 | 1k+ | Output is not escaped | ||
| #3723 | Text Replace | 41 | 55 | 12 | 3k+ | Output is not escaped | ||
| #3724 | Theme Blvd Importer | 41 | 25 | 58 | 500 | Missing nonce verification | ||
| #3725 | Theme Duplicator | 41 | 14 | 31 | 400 | Nonce verification recommended | ||
| #3726 | Threat Scan Plugin | 41 | 29 | 17 | 400 | Output is not escaped | ||
| #3727 | Advanced Editor Tools | 41 | 143 | 84 | 1m+ | Unsafe printing function | ||
| #3728 | TW Pagination | 41 | 90 | 23 | 1k+ | Non Singular String Literal Domain | ||
| #3729 | Usersnap | 41 | 37 | 17 | 500 | Output is not escaped | ||
| #3730 | Visibility Logic for Elementor | 41 | 27 | 43 | 30k+ | Output is not escaped | ||
| #3731 | fancyBox 3 for WordPress | 41 | 72 | 11 | 1k+ | Output is not escaped | ||
| #3732 | WC Multiple Email Recipients | 41 | 85 | 3 | 4k+ | Text Domain Mismatch | ||
| #3733 | Checkout Field Editor (Checkout Manager) for WooCommerce | 41 | 9 | 88 | 400k+ | Nonce verification recommended | ||
| #3734 | Country Based Restrictions for WooCommerce | 41 | 27 | 67 | 5k+ | Request data is not unslashed | ||
| #3735 | Quick View For WooCommerce | 41 | 44 | 44 | 1k+ | Output is not escaped | ||
| #3736 | Pay for Payment for WooCommerce | 41 | 29 | 67 | 10k+ | Missing nonce verification | ||
| #3737 | WP Crontrol | 41 | 20 | 91 | 300k+ | Nonce verification recommended | ||
| #3738 | WP Dashboard Notes | 41 | 24 | 29 | 20k+ | Unsafe printing function | ||
| #3739 | WP Lorem ipsum | 41 | 37 | 29 | 500 | Unsafe printing function | ||
| #3740 | Pledged Plugins PCI Gateway for NMI and WooCommerce | 41 | 160 | 42 | 2k+ | Text Domain Mismatch | ||
| #3741 | WP Permalink Translator | 41 | 34 | 21 | 2k+ | Unsafe printing function | ||
| #3742 | WP Router | 41 | 29 | 13 | 800 | Exception output is not escaped | ||
| #3743 | WP Test Email | 41 | 32 | 28 | 20k+ | Unsafe printing function | ||
| #3744 | WPS Hide Login | 41 | 34 | 72 | 2m+ | Nonce verification recommended | ||
| #3745 | Export WooCommerce Orders, Products, Customers & Coupons to Google Sheets | 41 | 45 | 35 | 700 | Output is not escaped | ||
| #3746 | Z-Credit Checkout – WooCommerce Payment Gateway | 41 | 151 | 22 | 900 | Text Domain Mismatch | ||
| #3747 | Zilla Portfolio | 41 | 139 | 15 | 400 | Text Domain Mismatch | ||
| #3748 | Pricing Table – Responsive & Easy | 42 | 117 | 148 | 3k+ | Non-prefixed global variable | ||
| #3749 | ActiveTrail – Contact Form 7 | 42 | 18 | 85 | 600 | Missing nonce verification | ||
| #3750 | Admin Options Pages | 42 | 3 | 284 | 500 | Nonce verification recommended |