missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4201YayMail – WooCommerce Email Customizer5116378850k+Non-prefixed global variable
#4202Affiliate Area Shortcodes by AffiliateWP5256162k+Text Domain Mismatch
#4203Age Gate Lite522832k+Output is not escaped
#4204Easy WP Page Navigation52608800Non Singular String Literal Domain
#4205Formstack Online Forms5239201k+Output is not escaped
#4206Full Screen Background5224262k+Missing direct file access protection
#4207Fullscreen Galleria523710800Output is not escaped
#4208GSheetConnector for Gravity Forms – Send Gravity Forms Entries to Google Sheets in Real-Time5226271k+Exception output is not escaped
#4209Hangul font nanumgothic – google5235161k+Output is not escaped
#4210LeadBooster Chatbot by Pipedrive523862k+Output is not escaped
#4211Metronet Tag Manager52173620k+Input is not validated
#4212Plugins Load Order523216500Non Singular String Literal Domain
#4213Podium5221235k+Missing direct file access protection
#4214Remove Uppercase Accents524128k+Unsafe printing function
#4215SEOWriting52102430k+Output is not escaped
#4216Stealth Publish52722900Missing nonce verification
#4217Custom Post Template By Templatic521914600Text Domain Mismatch
#4218Notiqoo – Order Notification & Customer Chat for WooCommerce52111871k+Non-prefixed global variable
#4219Wenprise Pinyin Slug5230344k+Text Domain Mismatch
#4220which template file5219124k+Output is not escaped
#4221Add to Cart Custom Redirect for WooCommerce5233132k+Text Domain Mismatch
#4222Price Based on Country for WooCommerce524312620k+Non-prefixed hook name
#4223WP Hooks Finder5227311k+Output is not escaped
#4224WP Secure Maintenance5228181k+Output is not escaped
#4225Automattic For Agencies Client5324918420k+Text Domain Mismatch
#4226Bg RuTube Embed5319211k+Unsafe printing function
#4227Column Shortcodes5332960k+Unsafe printing function
#4228Custom Post Type UI5316231m+Output is not escaped
#4229Disable Comments – Remove Comments & Stop Spam [Multi-Site Support]5315461m+Non-prefixed global variable
#4230Elegant Custom Fonts5315173k+Output is not escaped
#4231FakerPress536615210k+Non-prefixed global variable
#4232File Manager53416810k+Missing direct file access protection
#4233Focus Videos53369400Text Domain Mismatch
#4234International Telephone Input for Contact Form 75318108k+Missing direct file access protection
#4235LearnPress – bbPress Integration5319142k+Output is not escaped
#4236LuckyWP ACF Menu Field534695k+Short PHP open tag found
#4237MOBILOOK — Mobile View & Mobile‑Friendly Test5310201k+Missing nonce verification
#4238Multiple external product URLs for WooCommerce532817400Text Domain Mismatch
#4239Multiple Post Thumbnails53251820k+Output is not escaped
#4240ONTRApages5316271k+Output is not escaped
#4241워드프레스 결제 심플페이 – 우커머스 결제 플러그인5379921k+Missing direct file access protection
#4242Pinterest for WooCommerce534430300k+Exception output is not escaped
#4243Post Type Converter535281k+Nonce verification recommended
#4244Preserved HTML Editor Markup531222600Output is not escaped
#4245Preserved HTML Editor Markup Plus5312223k+Output is not escaped
#4246pretix widget532539400Non-prefixed global variable
#4247RDFa Breadcrumb532713600Output is not escaped
#4248Shamor535512400wp function not compatible with requires wp
#4249Simple Blog Stats5325764k+Non-prefixed function
#4250Simple Copy Post Button531424400Input is not sanitized