missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4401 | Filter Orders by Product for WooCommerce | 57 | 9 | 21 | 4k+ | Nonce verification recommended | ||
| #4402 | WP Table Builder – Drag & Drop Table Builder | 57 | 63 | 39 | 50k+ | Not Allowed | ||
| #4403 | WP Wrapper | 57 | 13 | 29 | 600 | Input is not validated | ||
| #4404 | XML Feed for Skroutz & BestPrice for WooCommerce | 57 | 12 | 50 | 600 | Input is not sanitized | ||
| #4405 | Zoho Billing – Embed Payment Form | 57 | 22 | 10 | 500 | Output is not escaped | ||
| #4406 | WP Admin Category Search | 58 | 23 | 11 | 2k+ | Unsafe printing function | ||
| #4407 | Admin Page Notes | 58 | 17 | 15 | 700 | Text Domain Mismatch | ||
| #4408 | Basic User Avatars | 58 | 17 | 7 | 20k+ | Output is not escaped | ||
| #4409 | BCM Duplicate Menu | 58 | 8 | 11 | 4k+ | Nonce verification recommended | ||
| #4410 | Contact Form DB for Enfold | 58 | 21 | 14 | 700 | Output is not escaped | ||
| #4411 | CSSIgniter Shortcodes | 58 | 55 | 2 | 2k+ | Output is not escaped | ||
| #4412 | Custom Meta Widget | 58 | 55 | 2 | 7k+ | Output is not escaped | ||
| #4413 | Debloat – Remove Unused CSS, Optimize JS | 58 | 24 | 20 | 30k+ | Nonce verification recommended | ||
| #4414 | Departamentos y Ciudades de Colombia para Woocommerce | 58 | 49 | 42 | 6k+ | Text Domain Mismatch | ||
| #4415 | E-namad & Shamed Logo Manager | 58 | 26 | 2 | 2k+ | Output is not escaped | ||
| #4416 | Easy Social Box / Page Plugin | 58 | 53 | 4 | 4k+ | Output is not escaped | ||
| #4417 | Easy Sidebar Menu Widget | 58 | 32 | 7 | 2k+ | Output is not escaped | ||
| #4418 | PDF invoice for WP ERP | 58 | 96 | 134 | 2k+ | Non-prefixed global variable | ||
| #4419 | Flexible FAQ | 58 | 27 | 26 | 1k+ | Text Domain Mismatch | ||
| #4420 | Go Redirects URL Forwarder | 58 | 17 | 14 | 1k+ | Output is not escaped | ||
| #4421 | Gutenverse Form – Contact Form Builder, Block Form & Booking Form | 58 | 17 | 48 | 10k+ | Nonce verification recommended | ||
| #4422 | HAL | 58 | 106 | 24 | 500 | Text Domain Mismatch | ||
| #4423 | Houzez WooCommerce Addon | 58 | 22 | 21 | 4k+ | Missing Translators Comment | ||
| #4424 | License For Envato | 58 | 12 | 31 | 9k+ | Non-prefixed global variable | ||
| #4425 | List Last Changes | 58 | 50 | 15 | 1k+ | Output is not escaped | ||
| #4426 | Menu Swapper | 58 | 20 | 14 | 3k+ | Output is not escaped | ||
| #4427 | PageLoader Lite – Loading Screen | 58 | 29 | 17 | 700 | Output is not escaped | ||
| #4428 | Quickcreator – AI Blog Writer | 58 | 14 | 18 | 500 | Exception output is not escaped | ||
| #4429 | Random Post for Widget | 58 | 27 | 5 | 2k+ | Output is not escaped | ||
| #4430 | Remove CPT base | 58 | 15 | 16 | 10k+ | Input is not sanitized | ||
| #4431 | Responsive Select Menu | 58 | 29 | 27 | 3k+ | Output is not escaped | ||
| #4432 | Rewrite Rules Inspector | 58 | 7 | 59 | 10k+ | Nonce verification recommended | ||
| #4433 | Safety Exit | 58 | 52 | 26 | 1k+ | Text Domain Mismatch | ||
| #4434 | Simple Back To Top | 58 | 15 | 43 | 3k+ | Non-prefixed global variable | ||
| #4435 | Simple CSS for widgets | 58 | 11 | 15 | 1k+ | Missing nonce verification | ||
| #4436 | SportsPress for Basketball | 58 | 104 | 34 | 1k+ | Text Domain Mismatch | ||
| #4437 | SportsPress for Football (Soccer) | 58 | 107 | 34 | 6k+ | Text Domain Mismatch | ||
| #4438 | SportsPress for Volleyball | 58 | 107 | 34 | 500 | Text Domain Mismatch | ||
| #4439 | Super Simple Event Calendar | 58 | 8 | 24 | 600 | Request data is not unslashed | ||
| #4440 | UiCore Elements – Free widgets and templates for Elementor | 58 | 29 | 30 | 40k+ | Output is not escaped | ||
| #4441 | Videopack | 58 | 28 | 108 | 10k+ | Input is not sanitized | ||
| #4442 | View Admin As | 58 | 307 | 135 | 9k+ | Non Singular String Literal Domain | ||
| #4443 | VRTs – Visual Regression Tests | 58 | 61 | 118 | 900 | Database parameter is not escaped | ||
| #4444 | WebP Express Plus | 58 | 19 | 11 | 700 | Unsafe printing function | ||
| #4445 | Wettervorhersage | 58 | 49 | 7 | 1k+ | Output is not escaped | ||
| #4446 | Chat Button & Custom ChatGPT-Powered Bot by GetButton.io | 58 | 26 | 8 | 20k+ | Non-prefixed function | ||
| #4447 | WP Healthcheck | 58 | 37 | 73 | 1k+ | Non-prefixed global variable | ||
| #4448 | Social Media Auto Poster – Schedule & Publish to Buffer | 58 | 23 | 211 | 7k+ | Dynamic hook name | ||
| #4449 | Age Gator | 59 | 9 | 15 | 400 | Direct Query | ||
| #4450 | Blog Designer | 59 | 62 | 83 | 10k+ | Text Domain Mismatch |