missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4251Social Media Widget53902130k+Text Domain Mismatch
#4252Morning for WooCommerce537591k+Non-prefixed global variable
#4253Weight Based Shipping for WooCommerce53484160k+Missing direct file access protection
#4254Widget Context53142040k+Non-prefixed hook name
#4255Widget Icon535310700Output is not escaped
#4256Widgets Reloaded5362201k+Output is not escaped
#4257WP Console – WordPress PHP Console powered by PsySH53344820k+Exception output is not escaped
#4258WP Login Logo53289500Unsafe printing function
#4259Peadig's Twitter Feed: Embedded Timeline WordPress Plugin53376600Output is not escaped
#4260AffiliateWP – Order Details For Affiliates5462272k+Output is not escaped
#4261Analytics Head54347600Output is not escaped
#4262Anant Addons for Elementor – Widgets, Templates & WooCommerce Builder5429207700Non-prefixed global variable
#4263Better Menu Widget54321600Output is not escaped
#4264Boostify Header Footer Builder for Elementor54419557k+Text Domain Mismatch
#4265CSV Importer5424113k+Missing direct file access protection
#4266Custom Category Templates5411113k+Unsafe printing function
#4267Customizable Post Listings544213700Deprecated parameter: the_author parameter 1
#4268Cyr-To-Lat541648300k+Dynamic hook name
#4269Disqus Comment System54173340k+Non-prefixed hook name
#4270Easy Elementor Addons – Addons Pack for Elementor Page Builder5435681k+Post Not In exclude
#4271Expandable Row for Beaver Builder541169900Text Domain Mismatch
#4272Expanding Archives543793k+Output is not escaped
#4273Extended User Search In WP-Admin5414171k+SQL query is not prepared
#4274F2 Tag Cloud Widget54662500Output is not escaped
#4275FireCask Like & Share Button54326400Output is not escaped
#4276Flexible Spacer Block5434154k+Unsafe printing function
#4277Gravity Forms + Custom Post Types5444710k+Output is not escaped
#4278Helpie FAQ — Accordion, Docs & Knowledge Base5496899k+Nonce verification recommended
#4279ImageMagick Sharpen Resized Images542261k+Output is not escaped
#4280PWA — easy way to Progressive Web App5415442k+Dynamic hook name
#4281Live Summary for Gravity Forms5415271k+Nonce verification recommended
#4282MSN Partner Hub5421251k+Missing direct file access protection
#4283Post Editor Buttons Fork54243800Unsafe printing function
#4284Reorder Terms5417381k+Nonce verification recommended
#4285Resize images before upload541951k+Output is not escaped
#4286Responsive Like Box, Like Box Widget544341k+Output is not escaped
#4287REST XML-RPC Data Checker541445900Input is not sanitized
#4288EMI Calculator542812700Output is not escaped
#4289Russian Currency54526400Output is not escaped
#4290AI Agent by SiteGround542861m+Exception output is not escaped
#4291Simple XML Sitemap Generator548283k+Non-prefixed function
#4292SimplyBook.me – Booking and reservations calendar54311330k+Exception output is not escaped
#4293SmartFormat feed for SmartNews5464271k+Missing Arg Domain
#4294Sp*tify Play Button for WordPress5421153k+Text Domain Mismatch
#4295Sticky Floating Forms Lite542629900Non-prefixed global variable
#4296Post Badges541913400Output is not escaped
#4297WP Call Button – Easy Click to Call Button for WordPress54213840k+Non-prefixed global variable
#4298WP Menu Icons54685220k+Text Domain Mismatch
#4299WP Post Navigation5414231k+Output is not escaped
#4300WP Resized Image Quality54199800Output is not escaped