missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4201 | YayMail – WooCommerce Email Customizer | 51 | 163 | 788 | 50k+ | Non-prefixed global variable | ||
| #4202 | Affiliate Area Shortcodes by AffiliateWP | 52 | 56 | 16 | 2k+ | Text Domain Mismatch | ||
| #4203 | Age Gate Lite | 52 | 28 | 3 | 2k+ | Output is not escaped | ||
| #4204 | Easy WP Page Navigation | 52 | 60 | 8 | 800 | Non Singular String Literal Domain | ||
| #4205 | Formstack Online Forms | 52 | 39 | 20 | 1k+ | Output is not escaped | ||
| #4206 | Full Screen Background | 52 | 24 | 26 | 2k+ | Missing direct file access protection | ||
| #4207 | Fullscreen Galleria | 52 | 37 | 10 | 800 | Output is not escaped | ||
| #4208 | GSheetConnector for Gravity Forms – Send Gravity Forms Entries to Google Sheets in Real-Time | 52 | 26 | 27 | 1k+ | Exception output is not escaped | ||
| #4209 | Hangul font nanumgothic – google | 52 | 35 | 16 | 1k+ | Output is not escaped | ||
| #4210 | LeadBooster Chatbot by Pipedrive | 52 | 38 | 6 | 2k+ | Output is not escaped | ||
| #4211 | Metronet Tag Manager | 52 | 17 | 36 | 20k+ | Input is not validated | ||
| #4212 | Plugins Load Order | 52 | 32 | 16 | 500 | Non Singular String Literal Domain | ||
| #4213 | Podium | 52 | 21 | 23 | 5k+ | Missing direct file access protection | ||
| #4214 | Remove Uppercase Accents | 52 | 41 | 2 | 8k+ | Unsafe printing function | ||
| #4215 | SEOWriting | 52 | 10 | 24 | 30k+ | Output is not escaped | ||
| #4216 | Stealth Publish | 52 | 7 | 22 | 900 | Missing nonce verification | ||
| #4217 | Custom Post Template By Templatic | 52 | 19 | 14 | 600 | Text Domain Mismatch | ||
| #4218 | Notiqoo – Order Notification & Customer Chat for WooCommerce | 52 | 11 | 187 | 1k+ | Non-prefixed global variable | ||
| #4219 | Wenprise Pinyin Slug | 52 | 30 | 34 | 4k+ | Text Domain Mismatch | ||
| #4220 | which template file | 52 | 19 | 12 | 4k+ | Output is not escaped | ||
| #4221 | Add to Cart Custom Redirect for WooCommerce | 52 | 33 | 13 | 2k+ | Text Domain Mismatch | ||
| #4222 | Price Based on Country for WooCommerce | 52 | 43 | 126 | 20k+ | Non-prefixed hook name | ||
| #4223 | WP Hooks Finder | 52 | 27 | 31 | 1k+ | Output is not escaped | ||
| #4224 | WP Secure Maintenance | 52 | 28 | 18 | 1k+ | Output is not escaped | ||
| #4225 | Automattic For Agencies Client | 53 | 249 | 184 | 20k+ | Text Domain Mismatch | ||
| #4226 | Bg RuTube Embed | 53 | 19 | 21 | 1k+ | Unsafe printing function | ||
| #4227 | Column Shortcodes | 53 | 32 | 9 | 60k+ | Unsafe printing function | ||
| #4228 | Custom Post Type UI | 53 | 16 | 23 | 1m+ | Output is not escaped | ||
| #4229 | Disable Comments – Remove Comments & Stop Spam [Multi-Site Support] | 53 | 15 | 46 | 1m+ | Non-prefixed global variable | ||
| #4230 | Elegant Custom Fonts | 53 | 15 | 17 | 3k+ | Output is not escaped | ||
| #4231 | FakerPress | 53 | 66 | 152 | 10k+ | Non-prefixed global variable | ||
| #4232 | File Manager | 53 | 41 | 68 | 10k+ | Missing direct file access protection | ||
| #4233 | Focus Videos | 53 | 36 | 9 | 400 | Text Domain Mismatch | ||
| #4234 | International Telephone Input for Contact Form 7 | 53 | 18 | 10 | 8k+ | Missing direct file access protection | ||
| #4235 | LearnPress – bbPress Integration | 53 | 19 | 14 | 2k+ | Output is not escaped | ||
| #4236 | LuckyWP ACF Menu Field | 53 | 46 | 9 | 5k+ | Short PHP open tag found | ||
| #4237 | MOBILOOK — Mobile View & Mobile‑Friendly Test | 53 | 10 | 20 | 1k+ | Missing nonce verification | ||
| #4238 | Multiple external product URLs for WooCommerce | 53 | 28 | 17 | 400 | Text Domain Mismatch | ||
| #4239 | Multiple Post Thumbnails | 53 | 25 | 18 | 20k+ | Output is not escaped | ||
| #4240 | ONTRApages | 53 | 16 | 27 | 1k+ | Output is not escaped | ||
| #4241 | 워드프레스 결제 심플페이 – 우커머스 결제 플러그인 | 53 | 79 | 92 | 1k+ | Missing direct file access protection | ||
| #4242 | Pinterest for WooCommerce | 53 | 44 | 30 | 300k+ | Exception output is not escaped | ||
| #4243 | Post Type Converter | 53 | 5 | 28 | 1k+ | Nonce verification recommended | ||
| #4244 | Preserved HTML Editor Markup | 53 | 12 | 22 | 600 | Output is not escaped | ||
| #4245 | Preserved HTML Editor Markup Plus | 53 | 12 | 22 | 3k+ | Output is not escaped | ||
| #4246 | pretix widget | 53 | 25 | 39 | 400 | Non-prefixed global variable | ||
| #4247 | RDFa Breadcrumb | 53 | 27 | 13 | 600 | Output is not escaped | ||
| #4248 | Shamor | 53 | 55 | 12 | 400 | wp function not compatible with requires wp | ||
| #4249 | Simple Blog Stats | 53 | 25 | 76 | 4k+ | Non-prefixed function | ||
| #4250 | Simple Copy Post Button | 53 | 14 | 24 | 400 | Input is not sanitized |