missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4051 | Mime Types Plus | 98 | 1 | 12 | 10k+ | Non-prefixed global variable | ||
| #4052 | Multi Device Switcher | 98 | 2 | 9 | 20k+ | Non-prefixed function | ||
| #4053 | Multisite Language Switcher | 98 | 4 | 21 | 4k+ | Dynamic hook name | ||
| #4054 | Native Lazyload | 98 | 2 | 2 | 5k+ | Missing Version | ||
| #4055 | Nested Shortcodes by Outerbridge | 98 | 4 | 0 | 1k+ | Missing direct file access protection | ||
| #4056 | News Ticker Widget for Elementor | 98 | 2 | 2 | 4k+ | Non-prefixed constant | ||
| #4057 | oEmbed Plus | 98 | 3 | 1 | 4k+ | Missing direct file access protection | ||
| #4058 | External Links in New Window / New Tab | 98 | 2 | 13 | 30k+ | Non-prefixed global variable | ||
| #4059 | OTF Regenerate Thumbnails | 98 | 3 | 1 | 4k+ | Missing direct file access protection | ||
| #4060 | Paste as Plain Text | 98 | 2 | 1 | 1k+ | Missing direct file access protection | ||
| #4061 | WebSub (FKA. PubSubHubbub) | 98 | 5 | 4 | 100k+ | Non-prefixed hook name | ||
| #4062 | Quicklink for WordPress | 98 | 3 | 2 | 1k+ | trademarked term | ||
| #4063 | Re-Add Text Justify Button | 98 | 3 | 0 | 20k+ | Missing direct file access protection | ||
| #4064 | Really Simple CAPTCHA | 98 | 2 | 2 | 300k+ | Non-prefixed constant | ||
| #4065 | Remove Author Pages | 98 | 3 | 0 | 3k+ | Missing direct file access protection | ||
| #4066 | Responsive Image Maps | 98 | 3 | 1 | 4k+ | Missing direct file access protection | ||
| #4067 | Restore Link Title Field | 98 | 4 | 0 | 3k+ | Missing Arg Domain | ||
| #4068 | Safe SVG | 98 | 7 | 4 | 1m+ | Missing Arg Domain | ||
| #4069 | Save with keyboard | 98 | 2 | 2 | 3k+ | Missing direct file access protection | ||
| #4070 | Seed Buddhist Year | 98 | 3 | 1 | 3k+ | Missing direct file access protection | ||
| #4071 | Shortcodes for Elementor | 98 | 5 | 3 | 5k+ | Missing direct file access protection | ||
| #4072 | Shortcodes for Divi | 98 | 2 | 3 | 10k+ | Discouraged text-domain loading | ||
| #4073 | Simple Admin Language Change | 98 | 4 | 2 | 10k+ | Missing direct file access protection | ||
| #4074 | Tableberg – Simple Gutenberg Table Block | 98 | 3 | 4 | 3k+ | date date | ||
| #4075 | Tag Pages | 98 | 3 | 0 | 10k+ | Missing direct file access protection | ||
| #4076 | Toggles | 98 | 3 | 0 | 2k+ | Missing direct file access protection | ||
| #4077 | Unplug Jetpack | 98 | 4 | 0 | 1k+ | Missing direct file access protection | ||
| #4078 | Users Registration Date | 98 | 3 | 0 | 2k+ | Missing direct file access protection | ||
| #4079 | WebFinger | 98 | 3 | 8 | 1k+ | Non-prefixed function | ||
| #4080 | Which Template | 98 | 4 | 1 | 1k+ | wp function not compatible with requires wp | ||
| #4081 | Align Woo Buttons | 98 | 3 | 6 | 3k+ | Non-prefixed function | ||
| #4082 | Database Reset | 98 | 14 | 3 | 10k+ | Missing direct file access protection | ||
| #4083 | WP Display Header | 98 | 15 | 3 | 7k+ | Text Domain Mismatch | ||
| #4084 | WP Document Revisions | 98 | 7 | 7 | 2k+ | wp function not compatible with requires wp | ||
| #4085 | WP Edit Username | 98 | 1 | 14 | 2k+ | Non-prefixed hook name | ||
| #4086 | WP Last Login | 98 | 2 | 4 | 10k+ | trademarked term | ||
| #4087 | WP Links Page | 98 | 2 | 3 | 3k+ | trademarked term | ||
| #4088 | WP Menu Image | 98 | 2 | 4 | 2k+ | trademarked term | ||
| #4089 | Wp Post Views – WordPress Post views counter | 98 | 3 | 10 | 4k+ | Non-prefixed class | ||
| #4090 | WP Remove Query Strings From Static Resources | 98 | 2 | 5 | 3k+ | trademarked term | ||
| #4091 | WP Robots Txt | 98 | 2 | 3 | 50k+ | trademarked term | ||
| #4092 | WP Scraper | 98 | 2 | 4 | 2k+ | trademarked term | ||
| #4093 | WP Snow Effect | 98 | 5 | 4 | 1k+ | Missing direct file access protection | ||
| #4094 | WPB Addons for Elementor – News Ticker, Timeline, Team & More Widgets | 98 | 1 | 17 | 3k+ | Post Not In exclude | ||
| #4095 | Show IDs by DraftPress | 98 | 2 | 3 | 10k+ | Missing direct file access protection | ||
| #4096 | Zenchef widget integration | 98 | 18 | 0 | 1k+ | Missing direct file access protection | ||
| #4097 | Add From Server Reloaded | 99 | 2 | 1 | 2k+ | Missing direct file access protection | ||
| #4098 | AntiVirus | 99 | 2 | 1 | 30k+ | Missing direct file access protection | ||
| #4099 | Audio Album | 99 | 2 | 1 | 4k+ | Discouraged text-domain loading | ||
| #4100 | Auto Hide Admin Bar | 99 | 2 | 0 | 4k+ | Missing direct file access protection |
