missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4251 | Social Media Widget | 53 | 90 | 21 | 30k+ | Text Domain Mismatch | ||
| #4252 | Morning for WooCommerce | 53 | 7 | 59 | 1k+ | Non-prefixed global variable | ||
| #4253 | Weight Based Shipping for WooCommerce | 53 | 48 | 41 | 60k+ | Missing direct file access protection | ||
| #4254 | Widget Context | 53 | 14 | 20 | 40k+ | Non-prefixed hook name | ||
| #4255 | Widget Icon | 53 | 53 | 10 | 700 | Output is not escaped | ||
| #4256 | Widgets Reloaded | 53 | 62 | 20 | 1k+ | Output is not escaped | ||
| #4257 | WP Console – WordPress PHP Console powered by PsySH | 53 | 34 | 48 | 20k+ | Exception output is not escaped | ||
| #4258 | WP Login Logo | 53 | 28 | 9 | 500 | Unsafe printing function | ||
| #4259 | Peadig's Twitter Feed: Embedded Timeline WordPress Plugin | 53 | 37 | 6 | 600 | Output is not escaped | ||
| #4260 | AffiliateWP – Order Details For Affiliates | 54 | 62 | 27 | 2k+ | Output is not escaped | ||
| #4261 | Analytics Head | 54 | 34 | 7 | 600 | Output is not escaped | ||
| #4262 | Anant Addons for Elementor – Widgets, Templates & WooCommerce Builder | 54 | 29 | 207 | 700 | Non-prefixed global variable | ||
| #4263 | Better Menu Widget | 54 | 32 | 1 | 600 | Output is not escaped | ||
| #4264 | Boostify Header Footer Builder for Elementor | 54 | 419 | 55 | 7k+ | Text Domain Mismatch | ||
| #4265 | CSV Importer | 54 | 24 | 11 | 3k+ | Missing direct file access protection | ||
| #4266 | Custom Category Templates | 54 | 11 | 11 | 3k+ | Unsafe printing function | ||
| #4267 | Customizable Post Listings | 54 | 42 | 13 | 700 | Deprecated parameter: the_author parameter 1 | ||
| #4268 | Cyr-To-Lat | 54 | 16 | 48 | 300k+ | Dynamic hook name | ||
| #4269 | Disqus Comment System | 54 | 17 | 33 | 40k+ | Non-prefixed hook name | ||
| #4270 | Easy Elementor Addons – Addons Pack for Elementor Page Builder | 54 | 35 | 68 | 1k+ | Post Not In exclude | ||
| #4271 | Expandable Row for Beaver Builder | 54 | 116 | 9 | 900 | Text Domain Mismatch | ||
| #4272 | Expanding Archives | 54 | 37 | 9 | 3k+ | Output is not escaped | ||
| #4273 | Extended User Search In WP-Admin | 54 | 14 | 17 | 1k+ | SQL query is not prepared | ||
| #4274 | F2 Tag Cloud Widget | 54 | 66 | 2 | 500 | Output is not escaped | ||
| #4275 | FireCask Like & Share Button | 54 | 32 | 6 | 400 | Output is not escaped | ||
| #4276 | Flexible Spacer Block | 54 | 34 | 15 | 4k+ | Unsafe printing function | ||
| #4277 | Gravity Forms + Custom Post Types | 54 | 44 | 7 | 10k+ | Output is not escaped | ||
| #4278 | Helpie FAQ — Accordion, Docs & Knowledge Base | 54 | 96 | 89 | 9k+ | Nonce verification recommended | ||
| #4279 | ImageMagick Sharpen Resized Images | 54 | 22 | 6 | 1k+ | Output is not escaped | ||
| #4280 | PWA — easy way to Progressive Web App | 54 | 15 | 44 | 2k+ | Dynamic hook name | ||
| #4281 | Live Summary for Gravity Forms | 54 | 15 | 27 | 1k+ | Nonce verification recommended | ||
| #4282 | MSN Partner Hub | 54 | 21 | 25 | 1k+ | Missing direct file access protection | ||
| #4283 | Post Editor Buttons Fork | 54 | 24 | 3 | 800 | Unsafe printing function | ||
| #4284 | Reorder Terms | 54 | 17 | 38 | 1k+ | Nonce verification recommended | ||
| #4285 | Resize images before upload | 54 | 19 | 5 | 1k+ | Output is not escaped | ||
| #4286 | Responsive Like Box, Like Box Widget | 54 | 43 | 4 | 1k+ | Output is not escaped | ||
| #4287 | REST XML-RPC Data Checker | 54 | 14 | 45 | 900 | Input is not sanitized | ||
| #4288 | EMI Calculator | 54 | 28 | 12 | 700 | Output is not escaped | ||
| #4289 | Russian Currency | 54 | 52 | 6 | 400 | Output is not escaped | ||
| #4290 | AI Agent by SiteGround | 54 | 28 | 6 | 1m+ | Exception output is not escaped | ||
| #4291 | Simple XML Sitemap Generator | 54 | 8 | 28 | 3k+ | Non-prefixed function | ||
| #4292 | SimplyBook.me – Booking and reservations calendar | 54 | 31 | 13 | 30k+ | Exception output is not escaped | ||
| #4293 | SmartFormat feed for SmartNews | 54 | 64 | 27 | 1k+ | Missing Arg Domain | ||
| #4294 | Sp*tify Play Button for WordPress | 54 | 21 | 15 | 3k+ | Text Domain Mismatch | ||
| #4295 | Sticky Floating Forms Lite | 54 | 26 | 29 | 900 | Non-prefixed global variable | ||
| #4296 | Post Badges | 54 | 19 | 13 | 400 | Output is not escaped | ||
| #4297 | WP Call Button – Easy Click to Call Button for WordPress | 54 | 21 | 38 | 40k+ | Non-prefixed global variable | ||
| #4298 | WP Menu Icons | 54 | 68 | 52 | 20k+ | Text Domain Mismatch | ||
| #4299 | WP Post Navigation | 54 | 14 | 23 | 1k+ | Output is not escaped | ||
| #4300 | WP Resized Image Quality | 54 | 19 | 9 | 800 | Output is not escaped |