missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4401Filter Orders by Product for WooCommerce579214k+Nonce verification recommended
#4402WP Table Builder – Drag & Drop Table Builder57633950k+Not Allowed
#4403WP Wrapper571329600Input is not validated
#4404XML Feed for Skroutz & BestPrice for WooCommerce571250600Input is not sanitized
#4405Zoho Billing – Embed Payment Form572210500Output is not escaped
#4406WP Admin Category Search5823112k+Unsafe printing function
#4407Admin Page Notes581715700Text Domain Mismatch
#4408Basic User Avatars5817720k+Output is not escaped
#4409BCM Duplicate Menu588114k+Nonce verification recommended
#4410Contact Form DB for Enfold582114700Output is not escaped
#4411CSSIgniter Shortcodes585522k+Output is not escaped
#4412Custom Meta Widget585527k+Output is not escaped
#4413Debloat – Remove Unused CSS, Optimize JS58242030k+Nonce verification recommended
#4414Departamentos y Ciudades de Colombia para Woocommerce5849426k+Text Domain Mismatch
#4415E-namad & Shamed Logo Manager582622k+Output is not escaped
#4416Easy Social Box / Page Plugin585344k+Output is not escaped
#4417Easy Sidebar Menu Widget583272k+Output is not escaped
#4418PDF invoice for WP ERP58961342k+Non-prefixed global variable
#4419Flexible FAQ5827261k+Text Domain Mismatch
#4420Go Redirects URL Forwarder5817141k+Output is not escaped
#4421Gutenverse Form – Contact Form Builder, Block Form & Booking Form58174810k+Nonce verification recommended
#4422HAL5810624500Text Domain Mismatch
#4423Houzez WooCommerce Addon5822214k+Missing Translators Comment
#4424License For Envato5812319k+Non-prefixed global variable
#4425List Last Changes5850151k+Output is not escaped
#4426Menu Swapper5820143k+Output is not escaped
#4427PageLoader Lite – Loading Screen582917700Output is not escaped
#4428Quickcreator – AI Blog Writer581418500Exception output is not escaped
#4429Random Post for Widget582752k+Output is not escaped
#4430Remove CPT base58151610k+Input is not sanitized
#4431Responsive Select Menu5829273k+Output is not escaped
#4432Rewrite Rules Inspector5875910k+Nonce verification recommended
#4433Safety Exit5852261k+Text Domain Mismatch
#4434Simple Back To Top5815433k+Non-prefixed global variable
#4435Simple CSS for widgets5811151k+Missing nonce verification
#4436SportsPress for Basketball58104341k+Text Domain Mismatch
#4437SportsPress for Football (Soccer)58107346k+Text Domain Mismatch
#4438SportsPress for Volleyball5810734500Text Domain Mismatch
#4439Super Simple Event Calendar58824600Request data is not unslashed
#4440UiCore Elements – Free widgets and templates for Elementor58293040k+Output is not escaped
#4441Videopack582810810k+Input is not sanitized
#4442View Admin As583071359k+Non Singular String Literal Domain
#4443VRTs – Visual Regression Tests5861118900Database parameter is not escaped
#4444WebP Express Plus581911700Unsafe printing function
#4445Wettervorhersage584971k+Output is not escaped
#4446Chat Button & Custom ChatGPT-Powered Bot by GetButton.io5826820k+Non-prefixed function
#4447WP Healthcheck5837731k+Non-prefixed global variable
#4448Social Media Auto Poster – Schedule & Publish to Buffer58232117k+Dynamic hook name
#4449Age Gator59915400Direct Query
#4450Blog Designer59628310k+Text Domain Mismatch