missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4001WP OpenAPI452622400Output is not escaped
#4002ARI Stream Quiz – WordPress Quizzes Builder46212392k+Non-prefixed global variable
#4003Bullhorn Career Portal WordPress Plugin464671k+Output is not escaped
#4004Official CleverReach® Plugin for WooCommerce463798400Non-prefixed global variable
#4005CLP Varnish Cache46155810k+Non-prefixed global variable
#4006CoSchedule4624663k+Nonce verification recommended
#4007DarkMySite – Advanced Dark Mode Plugin for WordPress46221001k+Request data is not unslashed
#4008Delete Multiple Themes463951k+Text Domain Mismatch
#4009Display Featured Image for Genesis4664591k+Non-prefixed global variable
#4010DX Delete Attached Media463284k+Output is not escaped
#4011Easy Basic Authentication – Add basic auth to site or admin area461428600Input is not sanitized
#4012Enhanced AJAX Add to Cart for WooCommerce469078700Missing Arg Domain
#4013Gravity Forms Constant Contact4636273k+Non-prefixed class
#4014Import Social Events46263553k+Non-prefixed global variable
#4015Live Copy Paste for Elementor – Cross Domain Copy Paste & Page Duplicator4613257k+Request data is not unslashed
#4016Material Design Icons for Page Builders46694620k+Missing direct file access protection
#4017N360 | Splash Screen463213500Output is not escaped
#4018Pinterest Pinboard Widget46544500Output is not escaped
#4019Prevent Browser Caching46191010k+Unsafe printing function
#4020Repeater Fields for Gravity Forms46134411k+wp function not compatible with requires wp
#4021Responsive Cookie Consent465042k+Unsafe printing function
#4022Link in Bio Creator – Social4652362k+Non Singular String Literal Domain
#4023Stars Rating4613341k+Missing nonce verification
#4024StockPack – Stock photos from Unsplash, Adobe Stock and more4635516k+Nonce verification recommended
#4025TotalSurvey for Survey, Quiz and Form4629033600Missing direct file access protection
#4026Ultimate FAQ Solution4628597600Text Domain Mismatch
#4027Updater by BestWebSoft464942192k+Text Domain Mismatch
#4028URL Params4636178k+Text Domain Mismatch
#4029Custom Price Labels for WooCommerce4617221k+Output is not escaped
#4030WP Lightbox 246521830k+Text Domain Mismatch
#4031Widget Disable46191910k+Output is not escaped
#4032WP All Import – Import SEO Settings for Yoast SEO46192620k+Nonce verification recommended
#4033Advanced Custom Fields: Number Slider47994400Output is not escaped
#4034AffiliateWP Checkout Referrals474826600Output is not escaped
#4035Clear Cache for Me4758840k+Text Domain Mismatch
#4036Custom Background Changer4744141k+Non Singular String Literal Domain
#4037Customizer Export/Import471415100k+Unsafe printing function
#4038DPO Pay for WooCommerce4728411k+Non Singular String Literal Text
#4039Flying Pages: Preload Pages for Faster Navigation & Improved User Experience47212120k+Missing direct file access protection
#4040FSM Custom Featured Image Caption4726275k+Output is not escaped
#4041G Meta Keywords4731810k+Unsafe printing function
#4042Granular Controls For Elementor4756410k+Output is not escaped
#4043Groups 404 Redirect4735331k+Non Singular String Literal Domain
#4044Import Users from CSV47331210k+Unsafe printing function
#4045KCSG Kartra Pages473016500Heredoc Output Not Escaped
#4046Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator47448310k+Missing direct file access protection
#4047Product Categories/Tags Bottom Description for WooCommerce4760233k+Text Domain Mismatch
#4048Real Media Library: Media Library Folder & File Manager471365100k+Direct Query
#4049Showeblogin Social Plugin47595400Output is not escaped
#4050Simple Popup Plugin475351k+Output is not escaped