missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4551Two Factor (2FA) Authentication via Email6112279k+Request data is not unslashed
#4552When Last Login – Export User Records611813500Output is not escaped
#4553Widget Click to Chat61224500Setting is missing a sanitization callback
#4554Wistia WordPress Plugin6142122k+Output is not escaped
#4555Order Weight for WooCommerce612434600Text Domain Mismatch
#4556Products Restricted Users for WooCommerce613124400wp function not compatible with requires wp
#4557wp-cleanumlauts26132221k+Output is not escaped
#4558WP-CORS617231k+error log error log
#4559WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce6122741k+Non-prefixed global variable
#4560RSS Feed Retriever612387k+wp function not compatible with requires wp
#4561Bulk Edit YOAST SEO fields in Spreadsheet6156161k+Non Singular String Literal Domain
#4562WP-UTF8-Excerpt611710700Unsafe printing function
#4563WP YouTube Player6114171k+Output is not escaped
#4564Related Products Slider for WooCommerce – Boost Sales with Smart Product Recommendations6181131k+Text Domain Mismatch
#4565AAM Protected Media Files621310600Direct Query
#4566Add Meta Tag Keywords626151k+Missing nonce verification
#4567AMP Contact FORM 7 – AMPCF762913500Input is not validated
#4568ARI Fancy Lightbox – Popup for WordPress62810710k+Non-prefixed namespace
#4569Contact Form 7 – Blacklist Unwanted Email621611400Missing direct file access protection
#4570Bulk edit publish date6211161k+Nonce verification recommended
#4571Checkout Countdown for WooCommerce – Boost Conversions & Reduce Cart Abandonment6243123k+Output is not escaped
#4572Column Separator for Beaver Builder626117400Output is not escaped
#4573Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Membership, Subscribers and Landing Pages628110040k+Missing direct file access protection
#4574Custom Sidebars by ProteusThemes6217231k+Missing nonce verification
#4575Custom Site Logo622641k+Unsafe printing function
#4576Dashboard Widget Sidebar62916400Input is not validated
#4577Disable Visual Editor WYSIWYG6210121k+Nonce verification recommended
#4578DreamHost Automated Migration62152320k+Output is not escaped
#4579exovia GDPR Google Maps624064k+Output is not escaped
#4580Falcon – WordPress Optimizations & Tweaks6247662k+Short PHP open tag found
#4581Genesis Accessible624917500Text Domain Mismatch
#4582Get Chat App621062400Request data is not unslashed
#4583GetGenie – AI Content Writer with Keyword Research & SEO Tracking62133980k+Nonce verification recommended
#4584Include Matomo Tracking, by Jonas Hellmann62144500Setting is missing a sanitization callback
#4585Cron Jobs6221332k+Nonce verification recommended
#4586Live Simple Clock62231800Output is not escaped
#4587MainWP Key Maker623354k+Input is not sanitized
#4588Migrate To Liquid Web & Nexcess6215232k+Output is not escaped
#4589Nimbata Call Tracking621311400Non-prefixed function
#4590Pressable Automated Migration6215233k+Output is not escaped
#4591Proofreading6211745k+Direct Query
#4592Responsive Slider Gallery – Responsive Image Photo Slider62321222k+Non-prefixed global variable
#4593Easy SSL Plugin for SAKURA Rental Server62231750k+Input is not sanitized
#4594Single Post Template621484k+Text Domain Mismatch
#4595Standard Widget Extensions626761k+Output is not escaped
#4596Testimonial Carousel For Elementor62345610k+No Html Wrapped Strings
#4597Uber Login Logo6216510k+Unsafe printing function
#4598WiserNotify – Social Proof & FOMO Notifications, WooCommerce Sales Popups, Reviews & Announcement Bar6213321k+Request data is not unslashed
#4599Woo Product Remover6223141k+SQL query is not prepared
#4600Satispay for WooCommerce6219127k+Exception output is not escaped