missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4151BestWebSoft's Twitter50477174900Text Domain Mismatch
#4152Ultimate Floating Widgets – Make popup sidebars5048143k+Output is not escaped
#4153Ultimate WooCommerce Brands508712500Text Domain Mismatch
#4154Veeqo for WooCommerce503017700Missing direct file access protection
#4155Calculadora de Frete e Campos Checkout para o Brasil5011385k+Missing nonce verification
#4156WP SVG Images50581230k+Text Domain Mismatch
#4157ACF: User Role Selector51412600Output is not escaped
#4158Cart Popup for WooCommerce5191159k+Non-prefixed global variable
#4159Address Geocoder511218500Output is not escaped
#4160Adjust Admin Categories51301210k+Output is not escaped
#4161AVIF Uploader5149444k+Missing Arg Domain
#4162Feeds for TikTok – Display Video Feeds in Grid Layouts5118591k+Request data is not unslashed
#4163Cards for Beaver Builder516311k+Output is not escaped
#4164Booqable Rental Plugin5181181k+wp function not compatible with requires wp
#4165Bootstrap Modals514381k+Output is not escaped
#4166WPML Multilingual for BuddyPress and BuddyBoss5118216k+SQL query is not prepared
#4167Category Archive Widget51542800Output is not escaped
#4168Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress5131161k+Missing nonce verification
#4169Dolyame Payment gateway5112210700Text Domain Mismatch
#4170Firelight Lightbox517897200k+Non-prefixed global variable
#4171GamiPress – Reset User511427400Interpolated SQL is not prepared
#4172Gravatar Enhanced – Avatars, Profiles, and Privacy513848100k+Dynamic hook name
#4173Gravity Forms No CAPTCHA reCAPTCHA51301710k+Text Domain Mismatch
#4174Gutenverse – WordPress Blocks, Page Builder & Site Editor51174720k+Non-prefixed hook name
#4175Hide Admin Bar51351720k+Unsafe printing function
#4176Interactive Globes – 3D World Maps5124104400Non-prefixed global variable
#4177Juicer.io: Effortlessly embed, curate, and aggregate social media feeds into your website5144349k+Output is not escaped
#4178KIA Subtitle5121197k+Non-prefixed global variable
#4179Menu Icons by Themeisle – Add Icons to Navigation Menus513422100k+Output is not escaped
#4180Lite Video Embed513571k+Output is not escaped
#4181POLi Payments for WooCommerce516226500Text Domain Mismatch
#4182Security-Protection51532400Missing nonce verification
#4183SePay Gateway5112392k+Nonce verification recommended
#4184Contact Information Widget51695500Output is not escaped
#4185Simple Cookie Notification Bar514961k+Text Domain Mismatch
#4186Popular Brand Icons – Simple Icons5120123k+Output is not escaped
#4187Redirect5126125k+Output is not escaped
#4188Star Rating Field For Contact Form 751367800Output is not escaped
#4189StoryChief5112551k+Input is not sanitized
#4190Tiny gtag.js Analytics51390400Output is not escaped
#4191Trustpilot Reviews51145230k+Missing nonce verification
#4192VK Filter Search5135716k+Nonce verification recommended
#4193Payment Gateway Payoneer For WooCommerce51935900Input is not validated
#4194Swift SMTP (formerly Welcome Email Editor)5112627k+Missing nonce verification
#4195WP Counter Up – Animated Number Counter & Milestone Showcase51182391k+Non-prefixed global variable
#4196REST API Log5144955k+Non-prefixed hook name
#4197Insert Code by Angie Makes51438900Output is not escaped
#4198YayMail – WooCommerce Email Customizer5116378850k+Non-prefixed global variable
#4199Affiliate Area Shortcodes by AffiliateWP5256162k+Text Domain Mismatch
#4200Age Gate Lite522832k+Output is not escaped