missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4301WebinarPress – Webinar System for WordPress5461499900Non-prefixed global variable
#4302Yeloni Exit Popup | (Free) GDPR Compliance544112700Output is not escaped
#4303YITH Proteo Toolkit54130641k+Text Domain Mismatch
#4304Admin Bar User Switching5516312k+Input is not validated
#4305Ascending Posts by Fly Plugins552313500Text Domain Mismatch
#4306Quick Buy Now Button for WooCommerce5537395k+Output is not escaped
#4307Clean Archives Reloaded55256600Unsafe printing function
#4308Custom Upload Dir556375k+Missing Arg Domain
#4309Easy Quotes551131700Direct Query
#4310Email Template Customizer for WooCommerce5555224820k+Text Domain Mismatch
#4311Enhanced Category Pages5523252k+Direct Query
#4312Feedbucket – Website Feedback Tool5510251k+Input is not validated
#4313Go Live Update Urls55114980k+Non-prefixed hook name
#4314Gutenify – Visual Site Builder Blocks & Site Templates5566405k+Missing Arg Domain
#4315Head Meta Data55194210k+Non-prefixed function
#4316Hide Admin Menu55182720k+Non-prefixed function
#4317Insert Pages55523040k+Output is not escaped
#4318JetWidgets For Elementor559927910k+Non-prefixed global variable
#4319Landingi Landing Pages5518232k+Input is not sanitized
#4320LoginPress | wp-login Custom Login Page Customizer55125308200k+Non-prefixed function
#4321Mailster for WooCommerce5523321k+Non-prefixed global variable
#4322Marvy – Background Animations for Elementor5563344k+Text Domain Mismatch
#4323Mortgage Calculator5598164k+Text Domain Mismatch
#4324Page Tagger5530102k+Output is not escaped
#4325Virtual Robots.txt55102140k+Input is not validated
#4326Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder5554692700k+Non-prefixed hook name
#4327Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More5544647k+Text Domain Mismatch
#4328Quick Bulk Post & Page Creator554312k+Text Domain Mismatch
#4329Quick Bulk Term Taxonomy Creator55372400Text Domain Mismatch
#4330Refer A Friend for WooCommerce by WPGens5577211k+Text Domain Mismatch
#4331Rescue Shortcodes555421k+Unsafe printing function
#4332Semrush Content Toolkit5522242k+Non-prefixed global variable
#4333SM Vertical Menu55451400Output is not escaped
#4334Free customer chat solution551810500Output is not escaped
#4335Themeflection Numbers – Number Counter and Animated Numbers55224733k+Text Domain Mismatch
#4336Trusona for WordPress55834500Non-prefixed function
#4337VK Block Patterns55861100k+Non-prefixed function
#4338Payment Integration Wompi – El Salvador555027800Text Domain Mismatch
#4339WP Ultimate Review552338170k+Non-prefixed global variable
#4340WPC Smart Messages for WooCommerce556841k+Non-prefixed global variable
#4341Yext Plugin551623700Non-prefixed function
#4342Admin Bar Fix564018400Text Domain Mismatch
#4343AI Copilot – ChatGPT Chatbot & AI Engine for Post Automation5665201k+Text Domain Mismatch
#4344All in One SEO Pack Importer561725500Direct Query
#4345Anti-Captcha (anti-spam botblocker)5623261k+rand mt rand
#4346BotPenguin – Generative AI Chatbot with Live Chat & ChatGPT56127600Unsafe printing function
#4347SMTP by BestWebSoft564861751k+Text Domain Mismatch
#4348CHEQ Essentials561449700Request data is not unslashed
#4349Contextual Adminbar Color561816500Output is not escaped
#4350Debug Bar Cron56731400Output is not escaped