missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4101 | Auto Hide Admin Bar | 99 | 2 | 0 | 4k+ | Missing direct file access protection | ||
| #4102 | Enhanced Responsive Images | 99 | 1 | 2 | 50k+ | Missing direct file access protection | ||
| #4103 | Better Aria Label Support | 99 | 3 | 0 | 5k+ | Missing direct file access protection | ||
| #4104 | SMTP for Contact Form 7 | 99 | 5 | 0 | 1k+ | Missing direct file access protection | ||
| #4105 | Columns | 99 | 2 | 1 | 3k+ | Missing Version | ||
| #4106 | Default Featured Image | 99 | 2 | 2 | 60k+ | Missing direct file access protection | ||
| #4107 | Disable Embeds | 99 | 2 | 0 | 10k+ | Missing direct file access protection | ||
| #4108 | Disable Login Language Switcher | 99 | 2 | 0 | 1k+ | Missing direct file access protection | ||
| #4109 | Display Featured Image In Post List | 99 | 2 | 0 | 3k+ | Missing direct file access protection | ||
| #4110 | Email Address Obfuscation | 99 | 3 | 0 | 2k+ | wp function not compatible with requires wp | ||
| #4111 | Event Single Page Builder For The Events Calendar | 99 | 1 | 2 | 6k+ | Non-prefixed class | ||
| #4112 | Featured Image | 99 | 2 | 0 | 1k+ | Missing direct file access protection | ||
| #4113 | Filter for Divi | 99 | 2 | 0 | 2k+ | Missing direct file access protection | ||
| #4114 | Image Title Remove | 99 | 2 | 0 | 1k+ | Missing direct file access protection | ||
| #4115 | Inline Spoilers | 99 | 2 | 1 | 1k+ | Missing direct file access protection | ||
| #4116 | Insert Special Characters | 99 | 3 | 0 | 3k+ | Missing direct file access protection | ||
| #4117 | Language Fallback | 99 | 2 | 1 | 5k+ | Missing direct file access protection | ||
| #4118 | Masks Form Fields | 99 | 2 | 0 | 9k+ | Missing direct file access protection | ||
| #4119 | Ninja Tables – Easy Data Table Builder | 99 | 3 | 0 | 80k+ | Missing direct file access protection | ||
| #4120 | Post Type Transfer | 99 | 4 | 4 | 3k+ | Missing direct file access protection | ||
| #4121 | Printify for WooCommerce | 99 | 2 | 3 | 10k+ | Missing direct file access protection | ||
| #4122 | Protect Uploads | 99 | 2 | 1 | 40k+ | Missing direct file access protection | ||
| #4123 | Say What? | 99 | 3 | 2 | 40k+ | Missing direct file access protection | ||
| #4124 | Snow Monkey Editor | 99 | 2 | 3 | 30k+ | Non-prefixed global variable | ||
| #4125 | SO Page Builder Animate | 99 | 2 | 0 | 4k+ | Missing direct file access protection | ||
| #4126 | Solace Extra | 99 | 1 | 5 | 10k+ | Non-prefixed class | ||
| #4127 | Specia Companion | 99 | 7 | 0 | 4k+ | Missing direct file access protection | ||
| #4128 | Super block slider – Image & content slider | 99 | 1 | 2 | 9k+ | Missing direct file access protection | ||
| #4129 | Syntax-highlighting Code Block (with Server-side Rendering) | 99 | 1 | 1 | 1k+ | Missing direct file access protection | ||
| #4130 | Thumbnail Upscale | 99 | 2 | 0 | 3k+ | Missing direct file access protection | ||
| #4131 | Very Simple Google Maps | 99 | 2 | 0 | 3k+ | Missing direct file access protection | ||
| #4132 | Widget Post Slider | 99 | 2 | 0 | 1k+ | Missing direct file access protection | ||
| #4133 | Playlist Player for YouTube | 99 | 3 | 1 | 2k+ | Missing direct file access protection | ||
| #4134 | Automatic Cache Flusher for W3 Total Cache | 100 | 1 | 0 | 4k+ | Missing direct file access protection | ||
| #4135 | Definitely allow mobile zooming | 100 | 1 | 0 | 7k+ | Missing direct file access protection | ||
| #4136 | Disable Emojis (GDPR friendly) | 100 | 1 | 0 | 60k+ | Missing direct file access protection | ||
| #4137 | Disable XML-RPC | 100 | 1 | 0 | 200k+ | Missing direct file access protection | ||
| #4138 | Generate Child Theme | 100 | 1 | 0 | 9k+ | Missing direct file access protection | ||
| #4139 | Hyperlink Group Block | 100 | 1 | 0 | 7k+ | Missing direct file access protection | ||
| #4140 | Makeiteasy Slider | 100 | 1 | 0 | 1k+ | Missing direct file access protection | ||
| #4141 | Nelio Content – Editorial Calendar & Social Media Auto-Posting | 100 | 1 | 0 | 5k+ | Missing direct file access protection | ||
| #4142 | Shortcode Redirect | 100 | 1 | 0 | 10k+ | Missing direct file access protection | ||
| #4143 | Splide Carousel Block | 100 | 1 | 0 | 3k+ | Missing direct file access protection |
