missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4601 | WP Charts and Graphs – WordPress Chart Plugin | 62 | 8 | 29 | 1k+ | Input is not sanitized | ||
| #4602 | WP Downloader | 62 | 11 | 15 | 2k+ | Output is not escaped | ||
| #4603 | Wp Theme plugin Download | 62 | 11 | 16 | 2k+ | Output is not escaped | ||
| #4604 | XPoster – Share to Bluesky and Mastodon | 62 | 26 | 36 | 10k+ | Missing nonce verification | ||
| #4605 | Migrate to WordPress.com | 62 | 15 | 28 | 2k+ | Output is not escaped | ||
| #4606 | Zen Menu Logic | 62 | 19 | 3 | 1k+ | Output is not escaped | ||
| #4607 | Automatic Featured Images from Videos | 63 | 13 | 13 | 7k+ | Missing direct file access protection | ||
| #4608 | cbnet Multi Author Comment Notification | 63 | 18 | 7 | 1k+ | Output is not escaped | ||
| #4609 | Christmasify! | 63 | 18 | 7 | 2k+ | Output is not escaped | ||
| #4610 | Classic Editor and Classic Widgets | 63 | 19 | 41 | 20k+ | Nonce verification recommended | ||
| #4611 | Countdown | 63 | 43 | 0 | 400 | Output is not escaped | ||
| #4612 | Creative Clans Embed Script | 63 | 10 | 9 | 600 | Input is not sanitized | ||
| #4613 | Custom post types, Custom Fields & more | 63 | 101 | 22 | 3k+ | Missing Translators Comment | ||
| #4614 | Dadevarzan Beaver Builder Modules | 63 | 167 | 5 | 600 | Text Domain Mismatch | ||
| #4615 | Placeholder Image for WooCommerce | 63 | 31 | 5 | 400 | Output is not escaped | ||
| #4616 | Dehkadeh Fonts | 63 | 117 | 5 | 800 | Text Domain Mismatch | ||
| #4617 | Email Post Changes | 63 | 43 | 8 | 500 | Missing Arg Domain | ||
| #4618 | EMI Calculator | 63 | 37 | 1 | 400 | Setting is missing a sanitization callback | ||
| #4619 | Essential Addons for Elementor – Popular Elementor Templates & Widgets | 63 | 78 | 184 | 2m+ | wp function not compatible with requires wp | ||
| #4620 | Fathom Analytics for WP | 63 | 25 | 15 | 10k+ | Output is not escaped | ||
| #4621 | FeedFocal | 63 | 16 | 6 | 2k+ | Unsafe printing function | ||
| #4622 | Hide Admin Bar From Front End | 63 | 8 | 17 | 1k+ | Input is not validated | ||
| #4623 | Image Sitemap | 63 | 11 | 14 | 400 | Output is not escaped | ||
| #4624 | IndexNow Plugin | 63 | 14 | 91 | 100k+ | error log error log | ||
| #4625 | Instant Images – One-click Image Uploads from Unsplash, Openverse, Pixabay, Pexels, and Giphy | 63 | 31 | 16 | 100k+ | Missing direct file access protection | ||
| #4626 | Social Intents – Live Chat | 63 | 42 | 11 | 400 | Non Singular String Literal Domain | ||
| #4627 | Mailster Google Analytics | 63 | 26 | 9 | 900 | Output is not escaped | ||
| #4628 | Mantenimiento web | 63 | 49 | 15 | 20k+ | Text Domain Mismatch | ||
| #4629 | Missed Scheduled Posts Publisher by WPBeginner | 63 | 16 | 17 | 30k+ | Text Domain Mismatch | ||
| #4630 | MooWoodle – WordPress Moodle LMS Integration, Sell Moodle Courses via WooCommerce | 63 | 10 | 45 | 800 | No Caching | ||
| #4631 | Order auto complete for WooCommerce | 63 | 56 | 22 | 1k+ | Text Domain Mismatch | ||
| #4632 | Query Posts | 63 | 53 | 6 | 800 | Output is not escaped | ||
| #4633 | Recent Posts by Category Widget | 63 | 24 | 0 | 4k+ | Output is not escaped | ||
| #4634 | Simple Membership After Login Redirection | 63 | 4 | 24 | 10k+ | Missing nonce verification | ||
| #4635 | Slightly troublesome permalink | 63 | 24 | 10 | 1k+ | Non Singular String Literal Domain | ||
| #4636 | Contact Form to Chat Apps | Click to Chat to Order – FormyChat | 63 | 30 | 134 | 3k+ | Direct Query | ||
| #4637 | Rating Widget: Post Rating, 5 Star Rating, Reviews, Thumbs Up & Down, Reaction | 63 | 177 | 27 | 400 | Missing direct file access protection | ||
| #4638 | Phone Validator for WooCommerce | 63 | 8 | 33 | 1k+ | Missing nonce verification | ||
| #4639 | WT Yandex Metrika | 63 | 35 | 0 | 5k+ | Output is not escaped | ||
| #4640 | Admin CSS MU | 64 | 30 | 582 | 10k+ | Non-prefixed global variable | ||
| #4641 | Admin filter posts by year | 64 | 8 | 32 | 400 | Non-prefixed function | ||
| #4642 | Beautiful taxonomy filters | 64 | 38 | 78 | 2k+ | Non-prefixed global variable | ||
| #4643 | Broadly for WordPress | 64 | 18 | 5 | 500 | Unsafe printing function | ||
| #4644 | UniqueID for Contact Form 7 | 64 | 21 | 18 | 2k+ | Text Domain Mismatch | ||
| #4645 | CodeColorer | 64 | 65 | 266 | 1k+ | Non-prefixed global variable | ||
| #4646 | Collapsing Archives | 64 | 36 | 9 | 3k+ | date date | ||
| #4647 | Comment Blacklist Manager | 64 | 14 | 8 | 600 | Output is not escaped | ||
| #4648 | Advanced Comment Form | 64 | 68 | 6 | 4k+ | Output is not escaped | ||
| #4649 | DataFeedWatch Connector for WooCommerce | 64 | 16 | 112 | 600 | Non-prefixed hook name | ||
| #4650 | Disabler | 64 | 212 | 38 | 900 | Text Domain Mismatch |