missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3951 | WPKoi Templates for Elementor | 44 | 937 | 25 | 5k+ | Text Domain Mismatch | ||
| #3952 | Advanced Custom Fields – Contact Form 7 Field | 45 | 59 | 8 | 2k+ | Output is not escaped | ||
| #3953 | Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro | 45 | 26 | 117 | 20k+ | Non-prefixed hook name | ||
| #3954 | Contact Details | 45 | 43 | 29 | 1k+ | Non Singular String Literal Text | ||
| #3955 | Contact Form 7 Signature Addon | 45 | 147 | 44 | 6k+ | Text Domain Mismatch | ||
| #3956 | Content Copy Protection & Disable Right Click | 45 | 47 | 17 | 1k+ | Output is not escaped | ||
| #3957 | Cookie Law Bar | 45 | 29 | 20 | 2k+ | Output is not escaped | ||
| #3958 | Custom Error Pages | 45 | 51 | 16 | 600 | Output is not escaped | ||
| #3959 | Easy HTML Sitemap | 45 | 75 | 8 | 600 | Text Domain Mismatch | ||
| #3960 | Format Media Titles | 45 | 33 | 4 | 5k+ | Unsafe printing function | ||
| #3961 | Icons Font Loader – Load Web Fonts and Icon Libraries | 45 | 47 | 33 | 2k+ | Text Domain Mismatch | ||
| #3962 | Evergreen Countdown Timer | 45 | 193 | 35 | 2k+ | wp function not compatible with requires wp | ||
| #3963 | Jetpack Search | 45 | 925 | 426 | 5k+ | Text Domain Mismatch | ||
| #3964 | LINE Auto Post | 45 | 19 | 11 | 500 | Heredoc Output Not Escaped | ||
| #3965 | LWS Hide Login | 45 | 5 | 58 | 20k+ | Request data is not unslashed | ||
| #3966 | New Order Notification for WooCommerce | 45 | 21 | 42 | 900 | Output is not escaped | ||
| #3967 | Passwords Evolved | 45 | 26 | 17 | 1k+ | Output is not escaped | ||
| #3968 | reCAPTCHA for Asgaros Forum | 45 | 21 | 36 | 4k+ | Input is not validated | ||
| #3969 | Simple Membership MailChimp Integration | 45 | 34 | 27 | 900 | curl curl setopt | ||
| #3970 | Slider Templates | 45 | 10 | 33 | 1k+ | Request data is not unslashed | ||
| #3971 | Specify Missing Image Dimensions | 45 | 21 | 12 | 1k+ | Unsafe printing function | ||
| #3972 | Utimate Kit ( Styler ) for WPForms | 45 | 240 | 69 | 20k+ | Missing Arg Domain | ||
| #3973 | Super Blank | 45 | 131 | 56 | 10k+ | Missing direct file access protection | ||
| #3974 | SyntaxHighlighter Evolved | 45 | 33 | 46 | 20k+ | Not In Footer | ||
| #3975 | Payrexx Payment Gateway for WooCommerce | 45 | 17 | 117 | 2k+ | Non-prefixed class | ||
| #3976 | WP Comment Policy Checkbox | 45 | 31 | 11 | 5k+ | Output is not escaped | ||
| #3977 | WP Global Site Tag | 45 | 48 | 9 | 7k+ | Output is not escaped | ||
| #3978 | WP OpenAPI | 45 | 26 | 22 | 400 | Output is not escaped | ||
| #3979 | ARI Stream Quiz – WordPress Quizzes Builder | 46 | 21 | 239 | 2k+ | Non-prefixed global variable | ||
| #3980 | Bullhorn Career Portal WordPress Plugin | 46 | 46 | 7 | 1k+ | Output is not escaped | ||
| #3981 | Official CleverReach® Plugin for WooCommerce | 46 | 37 | 98 | 400 | Non-prefixed global variable | ||
| #3982 | CLP Varnish Cache | 46 | 15 | 58 | 10k+ | Non-prefixed global variable | ||
| #3983 | CoSchedule | 46 | 24 | 66 | 3k+ | Nonce verification recommended | ||
| #3984 | DarkMySite – Advanced Dark Mode Plugin for WordPress | 46 | 22 | 100 | 1k+ | Request data is not unslashed | ||
| #3985 | Delete Multiple Themes | 46 | 39 | 5 | 1k+ | Text Domain Mismatch | ||
| #3986 | Display Featured Image for Genesis | 46 | 64 | 59 | 1k+ | Non-prefixed global variable | ||
| #3987 | DX Delete Attached Media | 46 | 32 | 8 | 4k+ | Output is not escaped | ||
| #3988 | Easy Basic Authentication – Add basic auth to site or admin area | 46 | 14 | 28 | 600 | Input is not sanitized | ||
| #3989 | Enhanced AJAX Add to Cart for WooCommerce | 46 | 90 | 78 | 600 | Missing Arg Domain | ||
| #3990 | Gravity Forms Constant Contact | 46 | 36 | 27 | 3k+ | Non-prefixed class | ||
| #3991 | Import Social Events | 46 | 26 | 355 | 3k+ | Non-prefixed global variable | ||
| #3992 | Live Copy Paste for Elementor – Cross Domain Copy Paste & Page Duplicator | 46 | 13 | 25 | 7k+ | Request data is not unslashed | ||
| #3993 | Material Design Icons for Page Builders | 46 | 69 | 46 | 20k+ | Missing direct file access protection | ||
| #3994 | N360 | Splash Screen | 46 | 32 | 13 | 500 | Output is not escaped | ||
| #3995 | Pinterest Pinboard Widget | 46 | 54 | 4 | 500 | Output is not escaped | ||
| #3996 | Repeater Fields for Gravity Forms | 46 | 134 | 41 | 1k+ | wp function not compatible with requires wp | ||
| #3997 | Responsive Cookie Consent | 46 | 50 | 4 | 2k+ | Unsafe printing function | ||
| #3998 | Link in Bio Creator – Social | 46 | 52 | 36 | 2k+ | Non Singular String Literal Domain | ||
| #3999 | Stars Rating | 46 | 13 | 34 | 1k+ | Missing nonce verification | ||
| #4000 | StockPack – Stock photos from Unsplash, Adobe Stock and more | 46 | 35 | 51 | 6k+ | Nonce verification recommended |