missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3901Team Builder Member Showcase43141271k+Non-prefixed global variable
#3902Term Management Tools4392610k+Non-prefixed hook name
#3903Terms Order WP – Categories And Taxonomies Order Plugin431247900Non-prefixed global variable
#3904Theme Test Drive4339167k+Output is not escaped
#3905Uber reCaptcha43129451k+Text Domain Mismatch
#3906User Session Control433121700Output is not escaped
#3907utm.codes433433400Missing nonce verification
#3908Sovrn439291k+Input is not sanitized
#3909WIP Custom Login432137700Nonce verification recommended
#3910Checkout Field Manager (Checkout Manager) for WooCommerce4316115490k+Non-prefixed global variable
#3911WP Hotel Booking Stripe Payment433429400Text Domain Mismatch
#3912WP Hotel Booking WPML Support431052400Direct Query
#3913WP Mail Log43402910k+Text Domain Mismatch
#3914WP Post Expires4321152k+Output is not escaped
#3915Advanced Custom Fields: oEmbed Field4436131k+Text Domain Mismatch
#3916Advanced Dynamic Pricing and Discount Rules for WooCommerce44281320k+Non-prefixed namespace
#3917Buttonizer – Live Chat, AI Chatbot, Call, Chat, Contact Button44247150k+Non-prefixed constant
#3918Button visually impaired44145510k+Text Domain Mismatch
#3919Code Widget4460334k+Text Domain Mismatch
#3920Coming soon and Maintenance mode4414439k+Request data is not unslashed
#3921Comment Image4419231k+Output is not escaped
#3922Custom Dashboard Help Widget447312800Output is not escaped
#3923Cyberpret – Calculettes444117500Output is not escaped
#3924Debug Bar Console442391k+Missing Arg Domain
#3925Easy!Appointments44476600Unsafe printing function
#3926ELEX WooCommerce Role Based Pricing442131962k+Non-prefixed global variable
#3927Github Embed4418351k+Non-prefixed global variable
#3928Image Widget444853k+Output is not escaped
#3929Smart JavaScript Auto Loader44832400Output is not escaped
#3930KKiapay WooCommerce Plugin442025400Output is not escaped
#3931Roles & Capabilities4424791k+Nonce verification recommended
#3932Save and Close44447400Missing nonce verification
#3933LIQUID SPEECH BALLOON44343010k+Output is not escaped
#3934Minimum Order Amount for Woocommerce4450162k+Text Domain Mismatch
#3935Multilevel Navigation Menu44801500Output is not escaped
#3936Notix – Web Push Notifications442241600Non-prefixed global variable
#3937QR Code Woocommerce4437361k+Output is not escaped
#3938Razorpay Subscriptions for WooCommerce442835600Exception output is not escaped
#3939Setmore Appointments4445134k+Output is not escaped
#3940Shippit for WooCommerce4412726900Text Domain Mismatch
#3941Simple Full Screen Background Image44231310k+Output is not escaped
#3942Simple Image Widget44261910k+Unsafe printing function
#3943Smart Archive Page Remove448257k+Output is not escaped
#3944Smart Attachment Page Remove44823900Output is not escaped
#3945SmartVideo – Video Player and CDN44295441k+Text Domain Mismatch
#3946TP Product Description in Loop for WooCommerce44487500Setting is missing a sanitization callback
#3947Trusty Whistleblowing Solution4423416400Text Domain Mismatch
#3948WCFM – WCFM Marketplace integrate Elementor4482181k+Output is not escaped
#3949WP Club Manager – WordPress Sports Club Plugin44171682600Non-prefixed global variable
#3950Wpazure Kit44136140800Missing direct file access protection