missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3851 | WC Speed Repair | 42 | 34 | 74 | 1k+ | Non-prefixed global variable | ||
| #3852 | Widget Visibility Time Scheduler | 42 | 70 | 34 | 1k+ | Output is not escaped | ||
| #3853 | WP Child Theme Generator | 42 | 35 | 66 | 20k+ | Request data is not unslashed | ||
| #3854 | WP Cron Cleaner | 42 | 51 | 38 | 500 | Unsafe printing function | ||
| #3855 | WP Fingerprint | 42 | 34 | 47 | 9k+ | Direct Query | ||
| #3856 | WP QuickLaTeX | 42 | 41 | 60 | 4k+ | Non-prefixed global variable | ||
| #3857 | WP Responsive Table | 42 | 42 | 10 | 6k+ | Output is not escaped | ||
| #3858 | Advanced All in One Admin Search by WP Spotlight | 42 | 25 | 25 | 900 | Missing Version | ||
| #3859 | WP Widget Clipboard – Duplicate widgets intuitively | 42 | 51 | 19 | 800 | Output is not escaped | ||
| #3860 | WPB Custom Tab Manager for WooCommerce – Add, Edit & Reorder Tabs | 42 | 95 | 32 | 500 | Output is not escaped | ||
| #3861 | WPFomo | 42 | 45 | 9 | 600 | Output is not escaped | ||
| #3862 | Yandex.Metrika | 42 | 15 | 20 | 900 | Unsafe printing function | ||
| #3863 | Admin Menu Tree Page View | 43 | 17 | 69 | 10k+ | Nonce verification recommended | ||
| #3864 | AdWords Conversion Tracking Code | 43 | 26 | 25 | 1k+ | Non Singular String Literal Domain | ||
| #3865 | AMP | 43 | 63 | 362 | 400k+ | Non-prefixed hook name | ||
| #3866 | Animation Builder – An interface for adding scroll-triggered animations | 43 | 7 | 67 | 900 | Missing Version | ||
| #3867 | Anonymous Restricted Content | 43 | 22 | 24 | 1k+ | Unsafe printing function | ||
| #3868 | Auto Alt Text | 43 | 52 | 13 | 4k+ | Exception output is not escaped | ||
| #3869 | Charla Live Chat | 43 | 33 | 13 | 500 | Output is not escaped | ||
| #3870 | Click to Call or Chat Buttons | 43 | 47 | 6 | 1k+ | Output is not escaped | ||
| #3871 | Comment Reply Email Notification | 43 | 44 | 19 | 3k+ | Output is not escaped | ||
| #3872 | Simple Mortgage Calculator | 43 | 67 | 3 | 1k+ | Text Domain Mismatch | ||
| #3873 | Custom Menu | 43 | 83 | 11 | 400 | wp function not compatible with requires wp | ||
| #3874 | Customize Login Image | 43 | 32 | 9 | 3k+ | Unsafe printing function | ||
| #3875 | Customize Snapshots | 43 | 9 | 42 | 500 | Nonce verification recommended | ||
| #3876 | Database Addon For WPForms ( wpforms entries ) – WPFormsDB | 43 | 17 | 53 | 20k+ | Nonce verification recommended | ||
| #3877 | Directorist – WPML Integration | 43 | 10 | 134 | 400 | Non-prefixed hook name | ||
| #3878 | Disable Gutenberg | 43 | 23 | 47 | 500k+ | Nonce verification recommended | ||
| #3879 | Disable WP Notification | 43 | 74 | 25 | 10k+ | Output is not escaped | ||
| #3880 | Email Notification on Login | 43 | 33 | 7 | 1k+ | Unsafe printing function | ||
| #3881 | F4 Total Stock Value for WooCommerce | 43 | 27 | 12 | 1k+ | Output is not escaped | ||
| #3882 | Floating Awesome Button (Sticky Button, Popup, Toast) & 200+ Website Custom Interactive Element | 43 | 66 | 109 | 800 | Missing direct file access protection | ||
| #3883 | GD bbPress Tools | 43 | 15 | 61 | 1k+ | Input is not sanitized | ||
| #3884 | Good Old Twitter Feed Widget | 43 | 110 | 10 | 400 | Text Domain Mismatch | ||
| #3885 | Per User Prompt for Google Authenticator | 43 | 8 | 52 | 400 | Nonce verification recommended | ||
| #3886 | Event Tracking for Gravity Forms | 43 | 34 | 25 | 20k+ | rand mt rand | ||
| #3887 | Insert Blocks Before or After Posts Content | 43 | 42 | 15 | 1k+ | Output is not escaped | ||
| #3888 | jQuery UI Widgets | 43 | 131 | 5 | 1k+ | Unsafe printing function | ||
| #3889 | MembershipWorks Login Connector | 43 | 28 | 81 | 800 | Request data is not unslashed | ||
| #3890 | Lightbox | 43 | 29 | 10 | 700 | Unsafe printing function | ||
| #3891 | Post Carousel Slider for Elementor | 43 | 133 | 23 | 3k+ | Text Domain Mismatch | ||
| #3892 | Post title marquee scroll | 43 | 43 | 25 | 1k+ | Output is not escaped | ||
| #3893 | Pro Categories Widget | 43 | 59 | 9 | 800 | Output is not escaped | ||
| #3894 | reCAPTCHA for MW WP Form | 43 | 37 | 14 | 30k+ | Non Singular String Literal Domain | ||
| #3895 | Redirect List | 43 | 34 | 22 | 1k+ | Output is not escaped | ||
| #3896 | Rut Chileno con Validación para WooCommerce | 43 | 35 | 16 | 1k+ | Text Domain Mismatch | ||
| #3897 | Secure Passkeys | 43 | 145 | 83 | 1k+ | Exception output is not escaped | ||
| #3898 | Simple Side Tab | 43 | 28 | 17 | 10k+ | Unsafe printing function | ||
| #3899 | Smart App Banner | 43 | 47 | 49 | 600 | Output is not escaped | ||
| #3900 | Snazzy Maps | 43 | 9 | 62 | 30k+ | Request data is not unslashed |