missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4301 | WebinarPress – Webinar System for WordPress | 54 | 61 | 499 | 900 | Non-prefixed global variable | ||
| #4302 | Yeloni Exit Popup | (Free) GDPR Compliance | 54 | 41 | 12 | 700 | Output is not escaped | ||
| #4303 | YITH Proteo Toolkit | 54 | 130 | 64 | 1k+ | Text Domain Mismatch | ||
| #4304 | Admin Bar User Switching | 55 | 16 | 31 | 2k+ | Input is not validated | ||
| #4305 | Ascending Posts by Fly Plugins | 55 | 23 | 13 | 500 | Text Domain Mismatch | ||
| #4306 | Quick Buy Now Button for WooCommerce | 55 | 37 | 39 | 5k+ | Output is not escaped | ||
| #4307 | Clean Archives Reloaded | 55 | 25 | 6 | 600 | Unsafe printing function | ||
| #4308 | Custom Upload Dir | 55 | 63 | 7 | 5k+ | Missing Arg Domain | ||
| #4309 | Easy Quotes | 55 | 11 | 31 | 700 | Direct Query | ||
| #4310 | Email Template Customizer for WooCommerce | 55 | 552 | 248 | 20k+ | Text Domain Mismatch | ||
| #4311 | Enhanced Category Pages | 55 | 23 | 25 | 2k+ | Direct Query | ||
| #4312 | Feedbucket – Website Feedback Tool | 55 | 10 | 25 | 1k+ | Input is not validated | ||
| #4313 | Go Live Update Urls | 55 | 11 | 49 | 80k+ | Non-prefixed hook name | ||
| #4314 | Gutenify – Visual Site Builder Blocks & Site Templates | 55 | 66 | 40 | 5k+ | Missing Arg Domain | ||
| #4315 | Head Meta Data | 55 | 19 | 42 | 10k+ | Non-prefixed function | ||
| #4316 | Hide Admin Menu | 55 | 18 | 27 | 20k+ | Non-prefixed function | ||
| #4317 | Insert Pages | 55 | 52 | 30 | 40k+ | Output is not escaped | ||
| #4318 | JetWidgets For Elementor | 55 | 99 | 279 | 10k+ | Non-prefixed global variable | ||
| #4319 | Landingi Landing Pages | 55 | 18 | 23 | 2k+ | Input is not sanitized | ||
| #4320 | LoginPress | wp-login Custom Login Page Customizer | 55 | 125 | 308 | 200k+ | Non-prefixed function | ||
| #4321 | Mailster for WooCommerce | 55 | 23 | 32 | 1k+ | Non-prefixed global variable | ||
| #4322 | Marvy – Background Animations for Elementor | 55 | 63 | 34 | 4k+ | Text Domain Mismatch | ||
| #4323 | Mortgage Calculator | 55 | 98 | 16 | 4k+ | Text Domain Mismatch | ||
| #4324 | Page Tagger | 55 | 30 | 10 | 2k+ | Output is not escaped | ||
| #4325 | Virtual Robots.txt | 55 | 10 | 21 | 40k+ | Input is not validated | ||
| #4326 | Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder | 55 | 54 | 692 | 700k+ | Non-prefixed hook name | ||
| #4327 | Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More | 55 | 44 | 64 | 7k+ | Text Domain Mismatch | ||
| #4328 | Quick Bulk Post & Page Creator | 55 | 43 | 1 | 2k+ | Text Domain Mismatch | ||
| #4329 | Quick Bulk Term Taxonomy Creator | 55 | 37 | 2 | 400 | Text Domain Mismatch | ||
| #4330 | Refer A Friend for WooCommerce by WPGens | 55 | 77 | 21 | 1k+ | Text Domain Mismatch | ||
| #4331 | Rescue Shortcodes | 55 | 54 | 2 | 1k+ | Unsafe printing function | ||
| #4332 | Semrush Content Toolkit | 55 | 22 | 24 | 2k+ | Non-prefixed global variable | ||
| #4333 | SM Vertical Menu | 55 | 45 | 1 | 400 | Output is not escaped | ||
| #4334 | Free customer chat solution | 55 | 18 | 10 | 500 | Output is not escaped | ||
| #4335 | Themeflection Numbers – Number Counter and Animated Numbers | 55 | 224 | 73 | 3k+ | Text Domain Mismatch | ||
| #4336 | Trusona for WordPress | 55 | 8 | 34 | 500 | Non-prefixed function | ||
| #4337 | VK Block Patterns | 55 | 8 | 61 | 100k+ | Non-prefixed function | ||
| #4338 | Payment Integration Wompi – El Salvador | 55 | 50 | 27 | 800 | Text Domain Mismatch | ||
| #4339 | WP Ultimate Review | 55 | 23 | 381 | 70k+ | Non-prefixed global variable | ||
| #4340 | WPC Smart Messages for WooCommerce | 55 | 6 | 84 | 1k+ | Non-prefixed global variable | ||
| #4341 | Yext Plugin | 55 | 16 | 23 | 700 | Non-prefixed function | ||
| #4342 | Admin Bar Fix | 56 | 40 | 18 | 400 | Text Domain Mismatch | ||
| #4343 | AI Copilot – ChatGPT Chatbot & AI Engine for Post Automation | 56 | 65 | 20 | 1k+ | Text Domain Mismatch | ||
| #4344 | All in One SEO Pack Importer | 56 | 17 | 25 | 500 | Direct Query | ||
| #4345 | Anti-Captcha (anti-spam botblocker) | 56 | 23 | 26 | 1k+ | rand mt rand | ||
| #4346 | BotPenguin – Generative AI Chatbot with Live Chat & ChatGPT | 56 | 12 | 7 | 600 | Unsafe printing function | ||
| #4347 | SMTP by BestWebSoft | 56 | 486 | 175 | 1k+ | Text Domain Mismatch | ||
| #4348 | CHEQ Essentials | 56 | 14 | 49 | 700 | Request data is not unslashed | ||
| #4349 | Contextual Adminbar Color | 56 | 18 | 16 | 500 | Output is not escaped | ||
| #4350 | Debug Bar Cron | 56 | 73 | 1 | 400 | Output is not escaped |