missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4351FluentSnippets – High-Performance Code Snippets, Header & Footer Code, Custom CSS & PHP Code Manager56312750k+Nonce verification recommended
#4352Easy Digital Downloads Featured Downloads5615151k+Output is not escaped
#4353Fluent Connect – Connect ThriveCart with your WordPress and FluentCRM563754600curl curl setopt
#4354FV Top Level Categories56241620k+Text Domain Mismatch
#4355Grids: Layout builder for WordPress5624272k+Missing direct file access protection
#4356Karma Music Player by Kadar56479700Output is not escaped
#4357Form data to kintone5625221k+Output is not escaped
#4358Kwayy HTML Sitemap5613196k+Missing nonce verification
#4359LearnPress – Course Wishlist56352220k+Output is not escaped
#4360Free Live Chat Support56920600Output is not escaped
#4361MAS Brands for WooCommerce56801510k+Text Domain Mismatch
#4362Maya Business Plugin56939500Input is not validated
#4363Pluginception567294k+Request data is not unslashed
#4364Posts Columns Manager56472800Output is not escaped
#4365Quick Flickr Widget56372400Output is not escaped
#4366Replace Protected Password56618600Input is not sanitized
#4367Require Featured Image562063k+Output is not escaped
#4368Review Stream564142400Non-prefixed global variable
#4369Seed Social563676k+Output is not escaped
#4370Smooth Back To Top Button5641740k+Output is not escaped
#4371Subscriptions for WooCommerce with Stripe Recurring Payments5610467800Non-prefixed global variable
#4372TextBuilder5620344k+Missing Arg Domain
#4373USERCENTRICS CMP5644111k+Non Singular String Literal Domain
#4374Export & Import WPBakery Page Builder5612209k+Missing nonce verification
#4375Video Dashboard56331600Output is not escaped
#4376Weer56546400Output is not escaped
#4377easy AMP561024600Input is not sanitized
#4378Social Chat – Click To Chat App Button568145200k+Text Domain Mismatch
#4379Blog Time57386600Output is not escaped
#4380Pantheon Migrations5715261k+Output is not escaped
#4381BestWebSoft’s Pinterest57490176500Text Domain Mismatch
#4382Cache-Control572641k+Output is not escaped
#4383Change Login Page Logo576981k+Output is not escaped
#4384Known Agents – Track AI Bots and Crawlers, Block Scrapers, Analyze LLM Referral Traffic5737121k+Setting is missing a sanitization callback
#4385Delete Pending Comments57161110k+Unsafe printing function
#4386Live Chat by Formilla – Real-time Chat & Chatbots Plugin5722132k+Missing Arg Domain
#4387APG Google Image Sitemap Feed573633900Non-prefixed global variable
#4388Gravity PDF5711615220k+Non-prefixed global variable
#4389iConvert Promoter57982172k+Non-prefixed global variable
#4390Internal Link Juicer: SEO Auto Linker for WordPress57126190k+Database parameter is not escaped
#4391iZooto – Web Push Notifications5726251k+wp function not compatible with requires wp
#4392Jquery Validation For Contact Form 75716199k+Missing direct file access protection
#4393My WordPress Login Logo57283610k+Non-prefixed global variable
#4394Plugin Notes571729400Input is not validated
#4395Protected Posts Logout Button5710201k+Input is not sanitized
#4396Public Post Preview57811100k+Nonce verification recommended
#4397Remove admin menus by role575548k+Input is not validated
#4398Replain57219700Output is not escaped
#4399Search Exclude57734050k+Text Domain Mismatch
#4400Site Health Tool Manager571351k+Unsafe printing function