missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4651Dotdigital for WordPress6441123400Dynamic hook name
#4652Download Theme6418204k+wp function not compatible with requires wp
#4653ELEX WooCommerce Product Price Custom Text (Before & After Text) and Discount644441372k+Missing Arg Domain
#4654Embed Google Fonts642875k+Output is not escaped
#4655Estonian Shipping Methods for WooCommerce6497161k+Text Domain Mismatch
#4656Evermore648121k+Input is not validated
#4657Favicon XT-Manager649122k+Output is not escaped
#4658Icon Element – Icon Pack for Elementor Page Builder (6718 icons)64301640k+wp function not compatible with requires wp
#4659Online Payments with iK Pay Gateway6412281k+Missing nonce verification
#4660Inactive Logout64307110k+Non-prefixed global variable
#4661Integrate Firebase64267500Output is not escaped
#4662Kama SpamBlock642975k+Short PHP open tag found
#4663Master Post Advert642641k+Unsafe printing function
#4664Meks Easy Social Share6426310k+Output is not escaped
#4665Moosend Website Connector6415121k+Non Singular String Literal Domain
#4666Most Popular Post Widget64403400Output is not escaped
#4667MultiSafepay plugin for WooCommerce6413352k+Missing nonce verification
#4668Nofollow for external link648510k+Output is not escaped
#4669Page in Widget642601k+Output is not escaped
#4670Page Tag Cloud64213500Output is not escaped
#4671Pageviews6415121k+Missing Translators Comment
#4672PHP Code Widget6422180k+Output is not escaped
#4673Product Import Export for WooCommerce – Import Export Product CSV Suite6424676680k+Non-prefixed global variable
#4674Send From64518500Input is not sanitized
#4675SMK Sidebar Generator6419510k+Output is not escaped
#4676Stancer for WooCommerce642108400Non-prefixed global variable
#4677Thumbnail Crop Position644312k+Output is not escaped
#4678TP Show Product Images on Checkout Page for WooCommerce64165500Setting is missing a sanitization callback
#4679Twitter6427239k+Missing Translators Comment
#4680WProofreader spell & grammar check plugin for WordPress6412434k+Non-prefixed global variable
#4681Werk aan de Muur644820900Non Singular String Literal Domain
#4682WP REST API Controller648228k+Nonce verification recommended
#4683WP REST Cache641111310k+Direct Query
#4684WP Search with Algolia6427167k+Missing direct file access protection
#4685YaMaps for WordPress Plugin64213010k+Non-prefixed global variable
#4686Яндекс.ПДС Пингер / Yandex Site search pinger64215800Output is not escaped
#4687ACF: Sidebar Selector65272800Output is not escaped
#4688AI Provider for Google6532130k+Exception output is not escaped
#4689Authorizer653545k+Nonce verification recommended
#4690Banner Upload65364500Output is not escaped
#4691Contact Form 7 – Success Page Redirects6551510k+Input is not sanitized
#4692Creta Testimonial Showcase6528413k+Non-prefixed global variable
#4693Custom Global Variables6514125k+Output is not escaped
#4694Custom Product Tabs for WooCommerce WP All Import Add-on6518181k+Non-prefixed global variable
#4695Custom Share Buttons with Floating Sidebar65164204k+Text Domain Mismatch
#4696Dashboard Directory Size65329400Missing Arg Domain
#4697Disable REST API65121580k+Output is not escaped
#4698Easy Twitter Feed Widget Plugin65901510k+Text Domain Mismatch
#4699Email Tracker65254800SQL query is not prepared
#4700Live Chat with Messenger Customer Chat6510233k+Input is not sanitized