missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4451Connect SendGrid for Emails5937103900Missing direct file access protection
#4452Custom API for WP59173161k+wp function not compatible with requires wp
#4453Display Post Types – Post Grid, post list and post sliders5924147k+Output is not escaped
#4454ELEX WooCommerce Name Your Price59295117600Missing Arg Domain
#4455etracker analytics591691k+Exception output is not escaped
#4456Fathom Analytics Conversions591447400Non-prefixed function
#4457flowpaper59133110k+Non-prefixed function
#4458FluentCommunity – Ultra-Fast High-Performance Social Network, Community, LMS & Online Courses5941148k+Exception output is not escaped
#4459GDPR Data Request Form5922195k+Missing direct file access protection
#4460Gettext override translations593372k+Missing Arg Domain
#4461Getty Images5911462k+Missing nonce verification
#4462Gravity Forms: Notification Attachments59187500Output is not escaped
#4463Gravity Forms Approvals Add-On59176800Output is not escaped
#4464GravityWP – Merge Tags59161722k+Non-prefixed global variable
#4465HTTP Headers59204350k+Nonce verification recommended
#4466Icon List5983111k+Text Domain Mismatch
#4467MapGeo – Interactive Geo Maps59145140k+Non-prefixed hook name
#4468JetSticky For Elementor59133830k+Nonce verification recommended
#4469Logo or Image Replace by mycore.global593012400Text Domain Mismatch
#4470Mango Buttons5914213k+Output is not escaped
#4471Pattern Wrangler – Manage Block Patterns and Pattern Categories591473400Non-prefixed global variable
#4472pensopay Payments v259413321k+Non Singular String Literal Domain
#4473Post Type Select Field for Advanced Custom Fields59481900Text Domain Mismatch
#4474SureFeedback Client Site5947245k+Text Domain Mismatch
#4475Resize Image After Upload59151180k+Output is not escaped
#4476Simplelightbox593241k+Output is not escaped
#4477Subscribers – Free Web Push Notifications5915111k+Output is not escaped
#4478Super Progressive Web Apps59622240k+wp function not compatible with requires wp
#4479Text Scroll Widget59302400Output is not escaped
#4480Typebot591793k+Output is not escaped
#4481Videojs HTML5 Player5912128k+Nonce verification recommended
#4482Konnect Payment Gateway for WooCommerce593916400Text Domain Mismatch
#4483Payment Gateway for LiqPay for Woocommerce5984311k+Text Domain Mismatch
#4484Hide Posts5997020k+Direct Query
#4485GST Invoice for WooCommerce5910421k+Missing nonce verification
#4486RevivePress – Keep your Old Content Evergreen5927465k+date date
#4487WP Shortcode by MyThemeShop5932510k+Output is not escaped
#4488Accesibilidad Web con el Widget de AccedeMe6022231k+Text Domain Mismatch
#4489Admin Menu Groups602610800Output is not escaped
#4490Bandsintown Events6080284k+wp function not compatible with requires wp
#4491Post Blocks & Tools60946400Missing nonce verification
#4492Contact Form 7 – Phone mask field6021720k+Unsafe printing function
#4493Contact Form 7 Modules6047155k+Text Domain Mismatch
#4494Disable Emails60251630k+Short PHP open tag found
#4495EPROLO-Dropshipping6016341k+Missing nonce verification
#4496FancyBox for WordPress601753330k+Text Domain Mismatch
#4497Freshchat6016101k+Output is not escaped
#4498GamiPress – Button60348900Text Domain Mismatch
#4499Genesis Featured Widget Amplified60126122k+Text Domain Mismatch
#4500HelloAsso60132894k+Short PHP open tag found