missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3701Share a Draft413963k+Output is not escaped
#3702Simple Cache4133591k+Input is not sanitized
#3703Simple CPT41280604k+Unsafe printing function
#3704Simple Like Page – Fast & Privacy-Friendly Page Embeds411453110k+Output is not escaped
#3705Simple Google Photos Grid414821k+Output is not escaped
#3706IP Ban4129392k+Input is not validated
#3707Simple Lightbox412148100k+Nonce verification recommended
#3708Simple Restrict4134121k+Output is not escaped
#3709Simple Revision Control4134431k+Dynamic hook name
#3710Slate Admin Theme41121196k+Output is not escaped
#3711Smart User Slug Hider4185123k+Output is not escaped
#3712Smooth Scroll Up4161106k+Output is not escaped
#3713Smoove connector for Elementor forms412260600Nonce verification recommended
#3714SnapScan Payment Gateway413330700Output is not escaped
#3715Masonry Widget415811500Output is not escaped
#3716TechGasp Sound Master411364500Output is not escaped
#3717TechGasp Music Master411434500Output is not escaped
#3718Styler for Gravity Forms4136922k+Text Domain Mismatch
#3719Taxonomy Converter415424500Output is not escaped
#3720Taxonomy Filter4114340800Output is not escaped
#3721Terms of Service & Privacy Policy Generator41991600Output is not escaped
#3722Text Hover4144131k+Output is not escaped
#3723Text Replace4155123k+Output is not escaped
#3724Theme Blvd Importer412558500Missing nonce verification
#3725Theme Duplicator411431400Nonce verification recommended
#3726Threat Scan Plugin412917400Output is not escaped
#3727Advanced Editor Tools41143841m+Unsafe printing function
#3728TW Pagination4190231k+Non Singular String Literal Domain
#3729Usersnap413717500Output is not escaped
#3730Visibility Logic for Elementor41274330k+Output is not escaped
#3731fancyBox 3 for WordPress4172111k+Output is not escaped
#3732WC Multiple Email Recipients418534k+Text Domain Mismatch
#3733Checkout Field Editor (Checkout Manager) for WooCommerce41988400k+Nonce verification recommended
#3734Country Based Restrictions for WooCommerce4127675k+Request data is not unslashed
#3735Quick View For WooCommerce4144441k+Output is not escaped
#3736Pay for Payment for WooCommerce41296710k+Missing nonce verification
#3737WP Crontrol412091300k+Nonce verification recommended
#3738WP Dashboard Notes41242920k+Unsafe printing function
#3739WP Lorem ipsum413729500Unsafe printing function
#3740Pledged Plugins PCI Gateway for NMI and WooCommerce41160422k+Text Domain Mismatch
#3741WP Permalink Translator4134212k+Unsafe printing function
#3742WP Router412913800Exception output is not escaped
#3743WP Test Email41322820k+Unsafe printing function
#3744WPS Hide Login4134722m+Nonce verification recommended
#3745Export WooCommerce Orders, Products, Customers & Coupons to Google Sheets414535700Output is not escaped
#3746Z-Credit Checkout – WooCommerce Payment Gateway4115122900Text Domain Mismatch
#3747Zilla Portfolio4113915400Text Domain Mismatch
#3748Pricing Table – Responsive & Easy421171483k+Non-prefixed global variable
#3749ActiveTrail – Contact Form 7421885600Missing nonce verification
#3750Admin Options Pages423284500Nonce verification recommended