missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3751 | Admin Options Pages | 42 | 3 | 284 | 500 | Nonce verification recommended | ||
| #3752 | Affiliate Link Tracker | 42 | 24 | 49 | 500 | Request data is not unslashed | ||
| #3753 | Post Grid Master — Post Grids & AJAX Filters | 42 | 44 | 115 | 1k+ | Non-prefixed global variable | ||
| #3754 | All-in-one Like Widget | 42 | 165 | 2 | 1k+ | Text Domain Mismatch | ||
| #3755 | Open Currency Converter | 42 | 59 | 19 | 1k+ | Unsafe printing function | ||
| #3756 | Automatic NBSP | 42 | 24 | 16 | 3k+ | Output is not escaped | ||
| #3757 | AweSplash – Just Splash Page | 42 | 39 | 34 | 400 | Output is not escaped | ||
| #3758 | Basic SEO Pack | 42 | 86 | 8 | 700 | Output is not escaped | ||
| #3759 | Booking.com Official Search Box | 42 | 36 | 32 | 2k+ | Output is not escaped | ||
| #3760 | BP Auto Group Join | 42 | 55 | 55 | 700 | Output is not escaped | ||
| #3761 | Custom Spinner for Contact Form 7 | 42 | 36 | 11 | 1k+ | Output is not escaped | ||
| #3762 | Change Background Color for Pages, Posts, Widgets | 42 | 35 | 7 | 500 | Text Domain Mismatch | ||
| #3763 | Chartbeat | 42 | 33 | 18 | 1k+ | Output is not escaped | ||
| #3764 | Comment Blacklist Updater | 42 | 45 | 15 | 1k+ | Output is not escaped | ||
| #3765 | Contact Form 7 add confirm | 42 | 31 | 51 | 50k+ | Text Domain Mismatch | ||
| #3766 | CookieHub – Cookie Consent Banner (DSGVO, CCPA, RGPD and GDPR compliance) | 42 | 33 | 49 | 3k+ | Output is not escaped | ||
| #3767 | Cronjob Scheduler | 42 | 20 | 36 | 1k+ | Input is not sanitized | ||
| #3768 | Custom Admin Page by BestWebSoft – Configurable WordPress Dashboard Pages Plugin | 42 | 472 | 181 | 400 | Text Domain Mismatch | ||
| #3769 | Custom Login | 42 | 36 | 116 | 10k+ | Non-prefixed global variable | ||
| #3770 | Simpliest Social Share | 42 | 37 | 22 | 600 | Unsafe printing function | ||
| #3771 | Dashboard Notes | 42 | 27 | 34 | 600 | Missing Arg Domain | ||
| #3772 | Dashboard Sticky Notes | 42 | 20 | 17 | 2k+ | Missing nonce verification | ||
| #3773 | Disable Comments | 42 | 44 | 19 | 100k+ | Unsafe printing function | ||
| #3774 | Disable Recaptcha – CF7 | 42 | 73 | 5 | 2k+ | Output is not escaped | ||
| #3775 | Display Categories Widget | 42 | 90 | 4 | 3k+ | Output is not escaped | ||
| #3776 | Simple HTML Sitemap | 42 | 42 | 20 | 1k+ | Text Domain Mismatch | ||
| #3777 | Storefront Online Ordering by DoorDash | 42 | 76 | 10 | 600 | Output is not escaped | ||
| #3778 | Duplicate Page or Post | 42 | 122 | 11 | 9k+ | Text Domain Mismatch | ||
| #3779 | Easy Demo Import for Omega Themes | 42 | 33 | 41 | 400 | Output is not escaped | ||
| #3780 | Easy Video Player | 42 | 20 | 20 | 20k+ | Output is not escaped | ||
| #3781 | Embedly | 42 | 17 | 38 | 2k+ | Output is not escaped | ||
| #3782 | Etsy Shop | 42 | 58 | 21 | 3k+ | Unsafe printing function | ||
| #3783 | Exclude Pages | 42 | 31 | 14 | 20k+ | Non Singular String Literal Domain | ||
| #3784 | File Media Renamer | 42 | 16 | 42 | 2k+ | Input is not sanitized | ||
| #3785 | First payment date for WooCommerce Subscriptions | 42 | 42 | 19 | 400 | Output is not escaped | ||
| #3786 | Flamix: Bitrix24 and Contact Form 7 integrations | 42 | 79 | 4 | 1k+ | Output is not escaped | ||
| #3787 | Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution | 42 | 111 | 17 | 20k+ | Exception output is not escaped | ||
| #3788 | FooTable | 42 | 86 | 7 | 1k+ | Output is not escaped | ||
| #3789 | FormCraft – Form Builder | 42 | 186 | 156 | 2k+ | Text Domain Mismatch | ||
| #3790 | Lock Down Admin | 42 | 30 | 20 | 3k+ | Unsafe printing function | ||
| #3791 | Fusion Page Builder : Extension – Gallery | 42 | 29 | 30 | 600 | Output is not escaped | ||
| #3792 | GA Google Analytics – Connect Google Analytics to WordPress | 42 | 46 | 30 | 400k+ | Output is not escaped | ||
| #3793 | Gelato Integration for WooCommerce | 42 | 36 | 32 | 5k+ | Output is not escaped | ||
| #3794 | Geo Blocker – Control Site Access by Region and IP | 42 | 10 | 64 | 1k+ | Direct Query | ||
| #3795 | Goolytics – Simple Google Analytics | 42 | 37 | 5 | 4k+ | Unsafe printing function | ||
| #3796 | hCaptcha for WP | 42 | 115 | 18 | 70k+ | Exception output is not escaped | ||
| #3797 | Hide Featured Image | 42 | 26 | 12 | 10k+ | Unsafe printing function | ||
| #3798 | HTML Editor Syntax Highlighter | 42 | 30 | 21 | 50k+ | Output is not escaped | ||
| #3799 | Image Uploader for Welcart | 42 | 27 | 24 | 3k+ | Output is not escaped | ||
| #3800 | WP All Import – Import SEO Settings for Rank Math SEO | 42 | 18 | 44 | 7k+ | Nonce verification recommended |