missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4601WP Charts and Graphs – WordPress Chart Plugin628291k+Input is not sanitized
#4602WP Downloader6211152k+Output is not escaped
#4603Wp Theme plugin Download6211162k+Output is not escaped
#4604XPoster – Share to Bluesky and Mastodon62263610k+Missing nonce verification
#4605Migrate to WordPress.com6215282k+Output is not escaped
#4606Zen Menu Logic621931k+Output is not escaped
#4607Automatic Featured Images from Videos6313137k+Missing direct file access protection
#4608cbnet Multi Author Comment Notification631871k+Output is not escaped
#4609Christmasify!631872k+Output is not escaped
#4610Classic Editor and Classic Widgets63194120k+Nonce verification recommended
#4611Countdown63430400Output is not escaped
#4612Creative Clans Embed Script63109600Input is not sanitized
#4613Custom post types, Custom Fields & more63101223k+Missing Translators Comment
#4614Dadevarzan Beaver Builder Modules631675600Text Domain Mismatch
#4615Placeholder Image for WooCommerce63315400Output is not escaped
#4616Dehkadeh Fonts631175800Text Domain Mismatch
#4617Email Post Changes63438500Missing Arg Domain
#4618EMI Calculator63371400Setting is missing a sanitization callback
#4619Essential Addons for Elementor – Popular Elementor Templates & Widgets63781842m+wp function not compatible with requires wp
#4620Fathom Analytics for WP63251510k+Output is not escaped
#4621FeedFocal631662k+Unsafe printing function
#4622Hide Admin Bar From Front End638171k+Input is not validated
#4623Image Sitemap631114400Output is not escaped
#4624IndexNow Plugin631491100k+error log error log
#4625Instant Images – One-click Image Uploads from Unsplash, Openverse, Pixabay, Pexels, and Giphy633116100k+Missing direct file access protection
#4626Social Intents – Live Chat634211400Non Singular String Literal Domain
#4627Mailster Google Analytics63269900Output is not escaped
#4628Mantenimiento web63491520k+Text Domain Mismatch
#4629Missed Scheduled Posts Publisher by WPBeginner63161730k+Text Domain Mismatch
#4630MooWoodle – WordPress Moodle LMS Integration, Sell Moodle Courses via WooCommerce631045800No Caching
#4631Order auto complete for WooCommerce6356221k+Text Domain Mismatch
#4632Query Posts63536800Output is not escaped
#4633Recent Posts by Category Widget632404k+Output is not escaped
#4634Simple Membership After Login Redirection6342410k+Missing nonce verification
#4635Slightly troublesome permalink6324101k+Non Singular String Literal Domain
#4636Contact Form to Chat Apps | Click to Chat to Order – FormyChat63301343k+Direct Query
#4637Rating Widget: Post Rating, 5 Star Rating, Reviews, Thumbs Up & Down, Reaction6317727400Missing direct file access protection
#4638Phone Validator for WooCommerce638331k+Missing nonce verification
#4639WT Yandex Metrika633505k+Output is not escaped
#4640Admin CSS MU643058210k+Non-prefixed global variable
#4641Admin filter posts by year64832400Non-prefixed function
#4642Beautiful taxonomy filters6438782k+Non-prefixed global variable
#4643Broadly for WordPress64185500Unsafe printing function
#4644UniqueID for Contact Form 76421182k+Text Domain Mismatch
#4645CodeColorer64652661k+Non-prefixed global variable
#4646Collapsing Archives643693k+date date
#4647Comment Blacklist Manager64148600Output is not escaped
#4648Advanced Comment Form646864k+Output is not escaped
#4649DataFeedWatch Connector for WooCommerce6416112600Non-prefixed hook name
#4650Disabler6421238900Text Domain Mismatch