missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3951WPKoi Templates for Elementor44937255k+Text Domain Mismatch
#3952Advanced Custom Fields – Contact Form 7 Field455982k+Output is not escaped
#3953Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro452611720k+Non-prefixed hook name
#3954Contact Details4543291k+Non Singular String Literal Text
#3955Contact Form 7 Signature Addon45147446k+Text Domain Mismatch
#3956Content Copy Protection & Disable Right Click4547171k+Output is not escaped
#3957Cookie Law Bar4529202k+Output is not escaped
#3958Custom Error Pages455116600Output is not escaped
#3959Easy HTML Sitemap45758600Text Domain Mismatch
#3960Format Media Titles453345k+Unsafe printing function
#3961Icons Font Loader – Load Web Fonts and Icon Libraries4547332k+Text Domain Mismatch
#3962Evergreen Countdown Timer45193352k+wp function not compatible with requires wp
#3963Jetpack Search459254265k+Text Domain Mismatch
#3964LINE Auto Post451911500Heredoc Output Not Escaped
#3965LWS Hide Login4555820k+Request data is not unslashed
#3966New Order Notification for WooCommerce452142900Output is not escaped
#3967Passwords Evolved4526171k+Output is not escaped
#3968reCAPTCHA for Asgaros Forum4521364k+Input is not validated
#3969Simple Membership MailChimp Integration453427900curl curl setopt
#3970Slider Templates4510331k+Request data is not unslashed
#3971Specify Missing Image Dimensions4521121k+Unsafe printing function
#3972Utimate Kit ( Styler ) for WPForms452406920k+Missing Arg Domain
#3973Super Blank451315610k+Missing direct file access protection
#3974SyntaxHighlighter Evolved45334620k+Not In Footer
#3975Payrexx Payment Gateway for WooCommerce45171172k+Non-prefixed class
#3976WP Comment Policy Checkbox4531115k+Output is not escaped
#3977WP Global Site Tag454897k+Output is not escaped
#3978WP OpenAPI452622400Output is not escaped
#3979ARI Stream Quiz – WordPress Quizzes Builder46212392k+Non-prefixed global variable
#3980Bullhorn Career Portal WordPress Plugin464671k+Output is not escaped
#3981Official CleverReach® Plugin for WooCommerce463798400Non-prefixed global variable
#3982CLP Varnish Cache46155810k+Non-prefixed global variable
#3983CoSchedule4624663k+Nonce verification recommended
#3984DarkMySite – Advanced Dark Mode Plugin for WordPress46221001k+Request data is not unslashed
#3985Delete Multiple Themes463951k+Text Domain Mismatch
#3986Display Featured Image for Genesis4664591k+Non-prefixed global variable
#3987DX Delete Attached Media463284k+Output is not escaped
#3988Easy Basic Authentication – Add basic auth to site or admin area461428600Input is not sanitized
#3989Enhanced AJAX Add to Cart for WooCommerce469078600Missing Arg Domain
#3990Gravity Forms Constant Contact4636273k+Non-prefixed class
#3991Import Social Events46263553k+Non-prefixed global variable
#3992Live Copy Paste for Elementor – Cross Domain Copy Paste & Page Duplicator4613257k+Request data is not unslashed
#3993Material Design Icons for Page Builders46694620k+Missing direct file access protection
#3994N360 | Splash Screen463213500Output is not escaped
#3995Pinterest Pinboard Widget46544500Output is not escaped
#3996Repeater Fields for Gravity Forms46134411k+wp function not compatible with requires wp
#3997Responsive Cookie Consent465042k+Unsafe printing function
#3998Link in Bio Creator – Social4652362k+Non Singular String Literal Domain
#3999Stars Rating4613341k+Missing nonce verification
#4000StockPack – Stock photos from Unsplash, Adobe Stock and more4635516k+Nonce verification recommended