missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3801WP All Import – Import SEO Settings for Rank Math SEO4218447k+Nonce verification recommended
#3802iyzico for WooCommerce42345410k+Unsafe printing function
#3803Lazy Social Comments4273101k+Unsafe printing function
#3804LeadSnap4214841k+Input is not validated
#3805Image and Video Lightbox, Image PopUp4253151k+Output is not escaped
#3806Lightweight Social Icons4259130k+Output is not escaped
#3807LIQUID BLOCKS – Slider, Carousel, Accordion4250314k+Unsafe printing function
#3808List Custom Taxonomy Widget425259k+Output is not escaped
#3809Login No Captcha reCAPTCHA42452460k+Unsafe printing function
#3810Mailster Cool Captcha426528400Text Domain Mismatch
#3811Mass Delete Unused Tags42219800Output is not escaped
#3812Message Popup For Contact Form 74230811k+Missing nonce verification
#3813Mobile CSS42597500Output is not escaped
#3814My Upload Images427448400Unsafe printing function
#3815NS Remove Related Products for WooCommerce4295433k+Output is not escaped
#3816OnPay.io for WooCommerce42238371k+Text Domain Mismatch
#3817PageMenu4216291k+Missing nonce verification
#3818Photo Galleria42785800Missing Arg Domain
#3819Polylang Theme Strings42119306k+Output is not escaped
#3820Post Types Order424543600k+wp function not compatible with requires wp
#3821WP Email Log – PostBox42281700Nonce verification recommended
#3822Posts Like Dislike42157395k+Non Singular String Literal Domain
#3823Prepare New Version4253246k+Output is not escaped
#3824Prismatic4261292k+Output is not escaped
#3825PuSHPress42116520k+Missing nonce verification
#3826reCAPTCHA for WooCommerce42803140k+Output is not escaped
#3827Recent Posts Widget Plus42683500Output is not escaped
#3828WP Required Taxonomies – Categories and Tags Mandatory4243361k+Non-prefixed global variable
#3829Responsive Mortgage Calculator4238287k+Output is not escaped
#3830RSS Just Better421362400Output is not escaped
#3831Sendcloud Shipping4278565k+Output is not escaped
#3832SEO Backlink Monitor4286105700Output is not escaped
#3833Set All First Images As Featured424413700Text Domain Mismatch
#3834Simple Meta Tags422813700Output is not escaped
#3835Simple Sticky Footer425716600Missing Arg Domain
#3836SMTP Mailer42514970k+Unsafe printing function
#3837Social Icon Widget42906500Output is not escaped
#3838Speed Contact Bar4253204k+Output is not escaped
#3839Squelch Tabs and Accordions Shortcodes4257511k+Unsafe printing function
#3840Starter Sites4262251k+Output is not escaped
#3841Sticky Add To Cart Bar For WooCommerce424654600Output is not escaped
#3842Sticky Floating Button (Book Now, Contact, Call To Action…)429526900Missing Arg Domain
#3843Combine Social Photos | Still BE4233281700Non-prefixed global variable
#3844Top Bar42751110k+Output is not escaped
#3845Two Factor421870100k+Nonce verification recommended
#3846Ultimate Category Excluder42222650k+Missing nonce verification
#3847Ultimate Coming Soon Page, Maintenance Mode & Under Construction – Gutenberg Block Builder & Landing Page4215899k+Non-prefixed global variable
#3848UniConsent Cookie Consent CMP – Consent Manager42148181k+Unsafe printing function
#3849Usermaven4236771k+Request data is not unslashed
#3850Vast Demo Import42180113600Text Domain Mismatch