missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3751Admin Options Pages423284500Nonce verification recommended
#3752Affiliate Link Tracker422449500Request data is not unslashed
#3753Post Grid Master — Post Grids & AJAX Filters42441151k+Non-prefixed global variable
#3754All-in-one Like Widget4216521k+Text Domain Mismatch
#3755Open Currency Converter4259191k+Unsafe printing function
#3756Automatic NBSP4224163k+Output is not escaped
#3757AweSplash – Just Splash Page423934400Output is not escaped
#3758Basic SEO Pack42868700Output is not escaped
#3759Booking.com Official Search Box4236322k+Output is not escaped
#3760BP Auto Group Join425555700Output is not escaped
#3761Custom Spinner for Contact Form 74236111k+Output is not escaped
#3762Change Background Color for Pages, Posts, Widgets42357500Text Domain Mismatch
#3763Chartbeat4233181k+Output is not escaped
#3764Comment Blacklist Updater4245151k+Output is not escaped
#3765Contact Form 7 add confirm42315150k+Text Domain Mismatch
#3766CookieHub – Cookie Consent Banner (DSGVO, CCPA, RGPD and GDPR compliance)4233493k+Output is not escaped
#3767Cronjob Scheduler4220361k+Input is not sanitized
#3768Custom Admin Page by BestWebSoft – Configurable WordPress Dashboard Pages Plugin42472181400Text Domain Mismatch
#3769Custom Login423611610k+Non-prefixed global variable
#3770Simpliest Social Share423722600Unsafe printing function
#3771Dashboard Notes422734600Missing Arg Domain
#3772Dashboard Sticky Notes4220172k+Missing nonce verification
#3773Disable Comments424419100k+Unsafe printing function
#3774Disable Recaptcha – CF7427352k+Output is not escaped
#3775Display Categories Widget429043k+Output is not escaped
#3776Simple HTML Sitemap4242201k+Text Domain Mismatch
#3777Storefront Online Ordering by DoorDash427610600Output is not escaped
#3778Duplicate Page or Post42122119k+Text Domain Mismatch
#3779Easy Demo Import for Omega Themes423341400Output is not escaped
#3780Easy Video Player42202020k+Output is not escaped
#3781Embedly4217382k+Output is not escaped
#3782Etsy Shop4258213k+Unsafe printing function
#3783Exclude Pages42311420k+Non Singular String Literal Domain
#3784File Media Renamer4216422k+Input is not sanitized
#3785First payment date for WooCommerce Subscriptions424219400Output is not escaped
#3786Flamix: Bitrix24 and Contact Form 7 integrations427941k+Output is not escaped
#3787Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution421111720k+Exception output is not escaped
#3788FooTable428671k+Output is not escaped
#3789FormCraft – Form Builder421861562k+Text Domain Mismatch
#3790Lock Down Admin4230203k+Unsafe printing function
#3791Fusion Page Builder : Extension – Gallery422930600Output is not escaped
#3792GA Google Analytics – Connect Google Analytics to WordPress424630400k+Output is not escaped
#3793Gelato Integration for WooCommerce4236325k+Output is not escaped
#3794Geo Blocker – Control Site Access by Region and IP4210641k+Direct Query
#3795Goolytics – Simple Google Analytics423754k+Unsafe printing function
#3796hCaptcha for WP421151870k+Exception output is not escaped
#3797Hide Featured Image42261210k+Unsafe printing function
#3798HTML Editor Syntax Highlighter42302150k+Output is not escaped
#3799Image Uploader for Welcart4227243k+Output is not escaped
#3800WP All Import – Import SEO Settings for Rank Math SEO4218447k+Nonce verification recommended