missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4001 | WP OpenAPI | 45 | 26 | 22 | 400 | Output is not escaped | ||
| #4002 | ARI Stream Quiz – WordPress Quizzes Builder | 46 | 21 | 239 | 2k+ | Non-prefixed global variable | ||
| #4003 | Bullhorn Career Portal WordPress Plugin | 46 | 46 | 7 | 1k+ | Output is not escaped | ||
| #4004 | Official CleverReach® Plugin for WooCommerce | 46 | 37 | 98 | 400 | Non-prefixed global variable | ||
| #4005 | CLP Varnish Cache | 46 | 15 | 58 | 10k+ | Non-prefixed global variable | ||
| #4006 | CoSchedule | 46 | 24 | 66 | 3k+ | Nonce verification recommended | ||
| #4007 | DarkMySite – Advanced Dark Mode Plugin for WordPress | 46 | 22 | 100 | 1k+ | Request data is not unslashed | ||
| #4008 | Delete Multiple Themes | 46 | 39 | 5 | 1k+ | Text Domain Mismatch | ||
| #4009 | Display Featured Image for Genesis | 46 | 64 | 59 | 1k+ | Non-prefixed global variable | ||
| #4010 | DX Delete Attached Media | 46 | 32 | 8 | 4k+ | Output is not escaped | ||
| #4011 | Easy Basic Authentication – Add basic auth to site or admin area | 46 | 14 | 28 | 600 | Input is not sanitized | ||
| #4012 | Enhanced AJAX Add to Cart for WooCommerce | 46 | 90 | 78 | 700 | Missing Arg Domain | ||
| #4013 | Gravity Forms Constant Contact | 46 | 36 | 27 | 3k+ | Non-prefixed class | ||
| #4014 | Import Social Events | 46 | 26 | 355 | 3k+ | Non-prefixed global variable | ||
| #4015 | Live Copy Paste for Elementor – Cross Domain Copy Paste & Page Duplicator | 46 | 13 | 25 | 7k+ | Request data is not unslashed | ||
| #4016 | Material Design Icons for Page Builders | 46 | 69 | 46 | 20k+ | Missing direct file access protection | ||
| #4017 | N360 | Splash Screen | 46 | 32 | 13 | 500 | Output is not escaped | ||
| #4018 | Pinterest Pinboard Widget | 46 | 54 | 4 | 500 | Output is not escaped | ||
| #4019 | Prevent Browser Caching | 46 | 19 | 10 | 10k+ | Unsafe printing function | ||
| #4020 | Repeater Fields for Gravity Forms | 46 | 134 | 41 | 1k+ | wp function not compatible with requires wp | ||
| #4021 | Responsive Cookie Consent | 46 | 50 | 4 | 2k+ | Unsafe printing function | ||
| #4022 | Link in Bio Creator – Social | 46 | 52 | 36 | 2k+ | Non Singular String Literal Domain | ||
| #4023 | Stars Rating | 46 | 13 | 34 | 1k+ | Missing nonce verification | ||
| #4024 | StockPack – Stock photos from Unsplash, Adobe Stock and more | 46 | 35 | 51 | 6k+ | Nonce verification recommended | ||
| #4025 | TotalSurvey for Survey, Quiz and Form | 46 | 290 | 33 | 600 | Missing direct file access protection | ||
| #4026 | Ultimate FAQ Solution | 46 | 285 | 97 | 600 | Text Domain Mismatch | ||
| #4027 | Updater by BestWebSoft | 46 | 494 | 219 | 2k+ | Text Domain Mismatch | ||
| #4028 | URL Params | 46 | 36 | 17 | 8k+ | Text Domain Mismatch | ||
| #4029 | Custom Price Labels for WooCommerce | 46 | 17 | 22 | 1k+ | Output is not escaped | ||
| #4030 | WP Lightbox 2 | 46 | 52 | 18 | 30k+ | Text Domain Mismatch | ||
| #4031 | Widget Disable | 46 | 19 | 19 | 10k+ | Output is not escaped | ||
| #4032 | WP All Import – Import SEO Settings for Yoast SEO | 46 | 19 | 26 | 20k+ | Nonce verification recommended | ||
| #4033 | Advanced Custom Fields: Number Slider | 47 | 99 | 4 | 400 | Output is not escaped | ||
| #4034 | AffiliateWP Checkout Referrals | 47 | 48 | 26 | 600 | Output is not escaped | ||
| #4035 | Clear Cache for Me | 47 | 58 | 8 | 40k+ | Text Domain Mismatch | ||
| #4036 | Custom Background Changer | 47 | 44 | 14 | 1k+ | Non Singular String Literal Domain | ||
| #4037 | Customizer Export/Import | 47 | 14 | 15 | 100k+ | Unsafe printing function | ||
| #4038 | DPO Pay for WooCommerce | 47 | 28 | 41 | 1k+ | Non Singular String Literal Text | ||
| #4039 | Flying Pages: Preload Pages for Faster Navigation & Improved User Experience | 47 | 21 | 21 | 20k+ | Missing direct file access protection | ||
| #4040 | FSM Custom Featured Image Caption | 47 | 26 | 27 | 5k+ | Output is not escaped | ||
| #4041 | G Meta Keywords | 47 | 31 | 8 | 10k+ | Unsafe printing function | ||
| #4042 | Granular Controls For Elementor | 47 | 56 | 4 | 10k+ | Output is not escaped | ||
| #4043 | Groups 404 Redirect | 47 | 35 | 33 | 1k+ | Non Singular String Literal Domain | ||
| #4044 | Import Users from CSV | 47 | 33 | 12 | 10k+ | Unsafe printing function | ||
| #4045 | KCSG Kartra Pages | 47 | 30 | 16 | 500 | Heredoc Output Not Escaped | ||
| #4046 | Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator | 47 | 44 | 83 | 10k+ | Missing direct file access protection | ||
| #4047 | Product Categories/Tags Bottom Description for WooCommerce | 47 | 60 | 23 | 3k+ | Text Domain Mismatch | ||
| #4048 | Real Media Library: Media Library Folder & File Manager | 47 | 1 | 365 | 100k+ | Direct Query | ||
| #4049 | Showeblogin Social Plugin | 47 | 59 | 5 | 400 | Output is not escaped | ||
| #4050 | Simple Popup Plugin | 47 | 53 | 5 | 1k+ | Output is not escaped |