missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3801 | WP All Import – Import SEO Settings for Rank Math SEO | 42 | 18 | 44 | 7k+ | Nonce verification recommended | ||
| #3802 | iyzico for WooCommerce | 42 | 34 | 54 | 10k+ | Unsafe printing function | ||
| #3803 | Lazy Social Comments | 42 | 73 | 10 | 1k+ | Unsafe printing function | ||
| #3804 | LeadSnap | 42 | 14 | 84 | 1k+ | Input is not validated | ||
| #3805 | Image and Video Lightbox, Image PopUp | 42 | 53 | 15 | 1k+ | Output is not escaped | ||
| #3806 | Lightweight Social Icons | 42 | 59 | 1 | 30k+ | Output is not escaped | ||
| #3807 | LIQUID BLOCKS – Slider, Carousel, Accordion | 42 | 50 | 31 | 4k+ | Unsafe printing function | ||
| #3808 | List Custom Taxonomy Widget | 42 | 52 | 5 | 9k+ | Output is not escaped | ||
| #3809 | Login No Captcha reCAPTCHA | 42 | 45 | 24 | 60k+ | Unsafe printing function | ||
| #3810 | Mailster Cool Captcha | 42 | 65 | 28 | 400 | Text Domain Mismatch | ||
| #3811 | Mass Delete Unused Tags | 42 | 21 | 9 | 800 | Output is not escaped | ||
| #3812 | Message Popup For Contact Form 7 | 42 | 30 | 81 | 1k+ | Missing nonce verification | ||
| #3813 | Mobile CSS | 42 | 59 | 7 | 500 | Output is not escaped | ||
| #3814 | My Upload Images | 42 | 74 | 48 | 400 | Unsafe printing function | ||
| #3815 | NS Remove Related Products for WooCommerce | 42 | 95 | 43 | 3k+ | Output is not escaped | ||
| #3816 | OnPay.io for WooCommerce | 42 | 238 | 37 | 1k+ | Text Domain Mismatch | ||
| #3817 | PageMenu | 42 | 16 | 29 | 1k+ | Missing nonce verification | ||
| #3818 | Photo Galleria | 42 | 78 | 5 | 800 | Missing Arg Domain | ||
| #3819 | Polylang Theme Strings | 42 | 119 | 30 | 6k+ | Output is not escaped | ||
| #3820 | Post Types Order | 42 | 45 | 43 | 600k+ | wp function not compatible with requires wp | ||
| #3821 | WP Email Log – PostBox | 42 | 2 | 81 | 700 | Nonce verification recommended | ||
| #3822 | Posts Like Dislike | 42 | 157 | 39 | 5k+ | Non Singular String Literal Domain | ||
| #3823 | Prepare New Version | 42 | 53 | 24 | 6k+ | Output is not escaped | ||
| #3824 | Prismatic | 42 | 61 | 29 | 2k+ | Output is not escaped | ||
| #3825 | PuSHPress | 42 | 11 | 65 | 20k+ | Missing nonce verification | ||
| #3826 | reCAPTCHA for WooCommerce | 42 | 80 | 31 | 40k+ | Output is not escaped | ||
| #3827 | Recent Posts Widget Plus | 42 | 68 | 3 | 500 | Output is not escaped | ||
| #3828 | WP Required Taxonomies – Categories and Tags Mandatory | 42 | 43 | 36 | 1k+ | Non-prefixed global variable | ||
| #3829 | Responsive Mortgage Calculator | 42 | 38 | 28 | 7k+ | Output is not escaped | ||
| #3830 | RSS Just Better | 42 | 136 | 2 | 400 | Output is not escaped | ||
| #3831 | Sendcloud Shipping | 42 | 78 | 56 | 5k+ | Output is not escaped | ||
| #3832 | SEO Backlink Monitor | 42 | 86 | 105 | 700 | Output is not escaped | ||
| #3833 | Set All First Images As Featured | 42 | 44 | 13 | 700 | Text Domain Mismatch | ||
| #3834 | Simple Meta Tags | 42 | 28 | 13 | 700 | Output is not escaped | ||
| #3835 | Simple Sticky Footer | 42 | 57 | 16 | 600 | Missing Arg Domain | ||
| #3836 | SMTP Mailer | 42 | 51 | 49 | 70k+ | Unsafe printing function | ||
| #3837 | Social Icon Widget | 42 | 90 | 6 | 500 | Output is not escaped | ||
| #3838 | Speed Contact Bar | 42 | 53 | 20 | 4k+ | Output is not escaped | ||
| #3839 | Squelch Tabs and Accordions Shortcodes | 42 | 57 | 51 | 1k+ | Unsafe printing function | ||
| #3840 | Starter Sites | 42 | 62 | 25 | 1k+ | Output is not escaped | ||
| #3841 | Sticky Add To Cart Bar For WooCommerce | 42 | 46 | 54 | 600 | Output is not escaped | ||
| #3842 | Sticky Floating Button (Book Now, Contact, Call To Action…) | 42 | 95 | 26 | 900 | Missing Arg Domain | ||
| #3843 | Combine Social Photos | Still BE | 42 | 33 | 281 | 700 | Non-prefixed global variable | ||
| #3844 | Top Bar | 42 | 75 | 11 | 10k+ | Output is not escaped | ||
| #3845 | Two Factor | 42 | 18 | 70 | 100k+ | Nonce verification recommended | ||
| #3846 | Ultimate Category Excluder | 42 | 22 | 26 | 50k+ | Missing nonce verification | ||
| #3847 | Ultimate Coming Soon Page, Maintenance Mode & Under Construction – Gutenberg Block Builder & Landing Page | 42 | 15 | 89 | 9k+ | Non-prefixed global variable | ||
| #3848 | UniConsent Cookie Consent CMP – Consent Manager | 42 | 148 | 18 | 1k+ | Unsafe printing function | ||
| #3849 | Usermaven | 42 | 36 | 77 | 1k+ | Request data is not unslashed | ||
| #3850 | Vast Demo Import | 42 | 180 | 113 | 600 | Text Domain Mismatch |