missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4551 | Two Factor (2FA) Authentication via Email | 61 | 12 | 27 | 9k+ | Request data is not unslashed | ||
| #4552 | When Last Login – Export User Records | 61 | 18 | 13 | 500 | Output is not escaped | ||
| #4553 | Widget Click to Chat | 61 | 22 | 4 | 500 | Setting is missing a sanitization callback | ||
| #4554 | Wistia WordPress Plugin | 61 | 42 | 12 | 2k+ | Output is not escaped | ||
| #4555 | Order Weight for WooCommerce | 61 | 24 | 34 | 600 | Text Domain Mismatch | ||
| #4556 | Products Restricted Users for WooCommerce | 61 | 31 | 24 | 400 | wp function not compatible with requires wp | ||
| #4557 | wp-cleanumlauts2 | 61 | 32 | 22 | 1k+ | Output is not escaped | ||
| #4558 | WP-CORS | 61 | 7 | 23 | 1k+ | error log error log | ||
| #4559 | WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce | 61 | 22 | 74 | 1k+ | Non-prefixed global variable | ||
| #4560 | RSS Feed Retriever | 61 | 23 | 8 | 7k+ | wp function not compatible with requires wp | ||
| #4561 | Bulk Edit YOAST SEO fields in Spreadsheet | 61 | 56 | 16 | 1k+ | Non Singular String Literal Domain | ||
| #4562 | WP-UTF8-Excerpt | 61 | 17 | 10 | 700 | Unsafe printing function | ||
| #4563 | WP YouTube Player | 61 | 14 | 17 | 1k+ | Output is not escaped | ||
| #4564 | Related Products Slider for WooCommerce – Boost Sales with Smart Product Recommendations | 61 | 81 | 13 | 1k+ | Text Domain Mismatch | ||
| #4565 | AAM Protected Media Files | 62 | 13 | 10 | 600 | Direct Query | ||
| #4566 | Add Meta Tag Keywords | 62 | 6 | 15 | 1k+ | Missing nonce verification | ||
| #4567 | AMP Contact FORM 7 – AMPCF7 | 62 | 9 | 13 | 500 | Input is not validated | ||
| #4568 | ARI Fancy Lightbox – Popup for WordPress | 62 | 8 | 107 | 10k+ | Non-prefixed namespace | ||
| #4569 | Contact Form 7 – Blacklist Unwanted Email | 62 | 16 | 11 | 400 | Missing direct file access protection | ||
| #4570 | Bulk edit publish date | 62 | 11 | 16 | 1k+ | Nonce verification recommended | ||
| #4571 | Checkout Countdown for WooCommerce – Boost Conversions & Reduce Cart Abandonment | 62 | 43 | 12 | 3k+ | Output is not escaped | ||
| #4572 | Column Separator for Beaver Builder | 62 | 61 | 17 | 400 | Output is not escaped | ||
| #4573 | Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Membership, Subscribers and Landing Pages | 62 | 81 | 100 | 40k+ | Missing direct file access protection | ||
| #4574 | Custom Sidebars by ProteusThemes | 62 | 17 | 23 | 1k+ | Missing nonce verification | ||
| #4575 | Custom Site Logo | 62 | 26 | 4 | 1k+ | Unsafe printing function | ||
| #4576 | Dashboard Widget Sidebar | 62 | 9 | 16 | 400 | Input is not validated | ||
| #4577 | Disable Visual Editor WYSIWYG | 62 | 10 | 12 | 1k+ | Nonce verification recommended | ||
| #4578 | DreamHost Automated Migration | 62 | 15 | 23 | 20k+ | Output is not escaped | ||
| #4579 | exovia GDPR Google Maps | 62 | 40 | 6 | 4k+ | Output is not escaped | ||
| #4580 | Falcon – WordPress Optimizations & Tweaks | 62 | 47 | 66 | 2k+ | Short PHP open tag found | ||
| #4581 | Genesis Accessible | 62 | 49 | 17 | 500 | Text Domain Mismatch | ||
| #4582 | Get Chat App | 62 | 10 | 62 | 400 | Request data is not unslashed | ||
| #4583 | GetGenie – AI Content Writer with Keyword Research & SEO Tracking | 62 | 13 | 39 | 80k+ | Nonce verification recommended | ||
| #4584 | Include Matomo Tracking, by Jonas Hellmann | 62 | 14 | 4 | 500 | Setting is missing a sanitization callback | ||
| #4585 | Cron Jobs | 62 | 21 | 33 | 2k+ | Nonce verification recommended | ||
| #4586 | Live Simple Clock | 62 | 23 | 1 | 800 | Output is not escaped | ||
| #4587 | MainWP Key Maker | 62 | 3 | 35 | 4k+ | Input is not sanitized | ||
| #4588 | Migrate To Liquid Web & Nexcess | 62 | 15 | 23 | 2k+ | Output is not escaped | ||
| #4589 | Nimbata Call Tracking | 62 | 13 | 11 | 400 | Non-prefixed function | ||
| #4590 | Pressable Automated Migration | 62 | 15 | 23 | 3k+ | Output is not escaped | ||
| #4591 | Proofreading | 62 | 11 | 74 | 5k+ | Direct Query | ||
| #4592 | Responsive Slider Gallery – Responsive Image Photo Slider | 62 | 32 | 122 | 2k+ | Non-prefixed global variable | ||
| #4593 | Easy SSL Plugin for SAKURA Rental Server | 62 | 23 | 17 | 50k+ | Input is not sanitized | ||
| #4594 | Single Post Template | 62 | 14 | 8 | 4k+ | Text Domain Mismatch | ||
| #4595 | Standard Widget Extensions | 62 | 67 | 6 | 1k+ | Output is not escaped | ||
| #4596 | Testimonial Carousel For Elementor | 62 | 34 | 56 | 10k+ | No Html Wrapped Strings | ||
| #4597 | Uber Login Logo | 62 | 16 | 5 | 10k+ | Unsafe printing function | ||
| #4598 | WiserNotify – Social Proof & FOMO Notifications, WooCommerce Sales Popups, Reviews & Announcement Bar | 62 | 13 | 32 | 1k+ | Request data is not unslashed | ||
| #4599 | Woo Product Remover | 62 | 23 | 14 | 1k+ | SQL query is not prepared | ||
| #4600 | Satispay for WooCommerce | 62 | 19 | 12 | 7k+ | Exception output is not escaped |