missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4351 | FluentSnippets – High-Performance Code Snippets, Header & Footer Code, Custom CSS & PHP Code Manager | 56 | 31 | 27 | 50k+ | Nonce verification recommended | ||
| #4352 | Easy Digital Downloads Featured Downloads | 56 | 15 | 15 | 1k+ | Output is not escaped | ||
| #4353 | Fluent Connect – Connect ThriveCart with your WordPress and FluentCRM | 56 | 37 | 54 | 600 | curl curl setopt | ||
| #4354 | FV Top Level Categories | 56 | 24 | 16 | 20k+ | Text Domain Mismatch | ||
| #4355 | Grids: Layout builder for WordPress | 56 | 24 | 27 | 2k+ | Missing direct file access protection | ||
| #4356 | Karma Music Player by Kadar | 56 | 47 | 9 | 700 | Output is not escaped | ||
| #4357 | Form data to kintone | 56 | 25 | 22 | 1k+ | Output is not escaped | ||
| #4358 | Kwayy HTML Sitemap | 56 | 13 | 19 | 6k+ | Missing nonce verification | ||
| #4359 | LearnPress – Course Wishlist | 56 | 35 | 22 | 20k+ | Output is not escaped | ||
| #4360 | Free Live Chat Support | 56 | 9 | 20 | 600 | Output is not escaped | ||
| #4361 | MAS Brands for WooCommerce | 56 | 80 | 15 | 10k+ | Text Domain Mismatch | ||
| #4362 | Maya Business Plugin | 56 | 9 | 39 | 500 | Input is not validated | ||
| #4363 | Pluginception | 56 | 7 | 29 | 4k+ | Request data is not unslashed | ||
| #4364 | Posts Columns Manager | 56 | 47 | 2 | 800 | Output is not escaped | ||
| #4365 | Quick Flickr Widget | 56 | 37 | 2 | 400 | Output is not escaped | ||
| #4366 | Replace Protected Password | 56 | 6 | 18 | 600 | Input is not sanitized | ||
| #4367 | Require Featured Image | 56 | 20 | 6 | 3k+ | Output is not escaped | ||
| #4368 | Review Stream | 56 | 41 | 42 | 400 | Non-prefixed global variable | ||
| #4369 | Seed Social | 56 | 36 | 7 | 6k+ | Output is not escaped | ||
| #4370 | Smooth Back To Top Button | 56 | 41 | 7 | 40k+ | Output is not escaped | ||
| #4371 | Subscriptions for WooCommerce with Stripe Recurring Payments | 56 | 10 | 467 | 800 | Non-prefixed global variable | ||
| #4372 | TextBuilder | 56 | 20 | 34 | 4k+ | Missing Arg Domain | ||
| #4373 | USERCENTRICS CMP | 56 | 44 | 11 | 1k+ | Non Singular String Literal Domain | ||
| #4374 | Export & Import WPBakery Page Builder | 56 | 12 | 20 | 9k+ | Missing nonce verification | ||
| #4375 | Video Dashboard | 56 | 33 | 1 | 600 | Output is not escaped | ||
| #4376 | Weer | 56 | 54 | 6 | 400 | Output is not escaped | ||
| #4377 | easy AMP | 56 | 10 | 24 | 600 | Input is not sanitized | ||
| #4378 | Social Chat – Click To Chat App Button | 56 | 81 | 45 | 200k+ | Text Domain Mismatch | ||
| #4379 | Blog Time | 57 | 38 | 6 | 600 | Output is not escaped | ||
| #4380 | Pantheon Migrations | 57 | 15 | 26 | 1k+ | Output is not escaped | ||
| #4381 | BestWebSoft’s Pinterest | 57 | 490 | 176 | 500 | Text Domain Mismatch | ||
| #4382 | Cache-Control | 57 | 26 | 4 | 1k+ | Output is not escaped | ||
| #4383 | Change Login Page Logo | 57 | 69 | 8 | 1k+ | Output is not escaped | ||
| #4384 | Known Agents – Track AI Bots and Crawlers, Block Scrapers, Analyze LLM Referral Traffic | 57 | 37 | 12 | 1k+ | Setting is missing a sanitization callback | ||
| #4385 | Delete Pending Comments | 57 | 16 | 11 | 10k+ | Unsafe printing function | ||
| #4386 | Live Chat by Formilla – Real-time Chat & Chatbots Plugin | 57 | 22 | 13 | 2k+ | Missing Arg Domain | ||
| #4387 | APG Google Image Sitemap Feed | 57 | 36 | 33 | 900 | Non-prefixed global variable | ||
| #4388 | Gravity PDF | 57 | 116 | 152 | 20k+ | Non-prefixed global variable | ||
| #4389 | iConvert Promoter | 57 | 98 | 217 | 2k+ | Non-prefixed global variable | ||
| #4390 | Internal Link Juicer: SEO Auto Linker for WordPress | 57 | 12 | 61 | 90k+ | Database parameter is not escaped | ||
| #4391 | iZooto – Web Push Notifications | 57 | 26 | 25 | 1k+ | wp function not compatible with requires wp | ||
| #4392 | Jquery Validation For Contact Form 7 | 57 | 16 | 19 | 9k+ | Missing direct file access protection | ||
| #4393 | My WordPress Login Logo | 57 | 28 | 36 | 10k+ | Non-prefixed global variable | ||
| #4394 | Plugin Notes | 57 | 17 | 29 | 400 | Input is not validated | ||
| #4395 | Protected Posts Logout Button | 57 | 10 | 20 | 1k+ | Input is not sanitized | ||
| #4396 | Public Post Preview | 57 | 8 | 11 | 100k+ | Nonce verification recommended | ||
| #4397 | Remove admin menus by role | 57 | 5 | 54 | 8k+ | Input is not validated | ||
| #4398 | Replain | 57 | 21 | 9 | 700 | Output is not escaped | ||
| #4399 | Search Exclude | 57 | 73 | 40 | 50k+ | Text Domain Mismatch | ||
| #4400 | Site Health Tool Manager | 57 | 13 | 5 | 1k+ | Unsafe printing function |