missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4651 | Dotdigital for WordPress | 64 | 41 | 123 | 400 | Dynamic hook name | ||
| #4652 | Download Theme | 64 | 18 | 20 | 4k+ | wp function not compatible with requires wp | ||
| #4653 | ELEX WooCommerce Product Price Custom Text (Before & After Text) and Discount | 64 | 444 | 137 | 2k+ | Missing Arg Domain | ||
| #4654 | Embed Google Fonts | 64 | 28 | 7 | 5k+ | Output is not escaped | ||
| #4655 | Estonian Shipping Methods for WooCommerce | 64 | 97 | 16 | 1k+ | Text Domain Mismatch | ||
| #4656 | Evermore | 64 | 8 | 12 | 1k+ | Input is not validated | ||
| #4657 | Favicon XT-Manager | 64 | 9 | 12 | 2k+ | Output is not escaped | ||
| #4658 | Icon Element – Icon Pack for Elementor Page Builder (6718 icons) | 64 | 30 | 16 | 40k+ | wp function not compatible with requires wp | ||
| #4659 | Online Payments with iK Pay Gateway | 64 | 12 | 28 | 1k+ | Missing nonce verification | ||
| #4660 | Inactive Logout | 64 | 30 | 71 | 10k+ | Non-prefixed global variable | ||
| #4661 | Integrate Firebase | 64 | 26 | 7 | 500 | Output is not escaped | ||
| #4662 | Kama SpamBlock | 64 | 29 | 7 | 5k+ | Short PHP open tag found | ||
| #4663 | Master Post Advert | 64 | 26 | 4 | 1k+ | Unsafe printing function | ||
| #4664 | Meks Easy Social Share | 64 | 26 | 3 | 10k+ | Output is not escaped | ||
| #4665 | Moosend Website Connector | 64 | 15 | 12 | 1k+ | Non Singular String Literal Domain | ||
| #4666 | Most Popular Post Widget | 64 | 40 | 3 | 400 | Output is not escaped | ||
| #4667 | MultiSafepay plugin for WooCommerce | 64 | 13 | 35 | 2k+ | Missing nonce verification | ||
| #4668 | Nofollow for external link | 64 | 8 | 5 | 10k+ | Output is not escaped | ||
| #4669 | Page in Widget | 64 | 26 | 0 | 1k+ | Output is not escaped | ||
| #4670 | Page Tag Cloud | 64 | 21 | 3 | 500 | Output is not escaped | ||
| #4671 | Pageviews | 64 | 15 | 12 | 1k+ | Missing Translators Comment | ||
| #4672 | PHP Code Widget | 64 | 22 | 1 | 80k+ | Output is not escaped | ||
| #4673 | Product Import Export for WooCommerce – Import Export Product CSV Suite | 64 | 246 | 766 | 80k+ | Non-prefixed global variable | ||
| #4674 | Send From | 64 | 5 | 18 | 500 | Input is not sanitized | ||
| #4675 | SMK Sidebar Generator | 64 | 19 | 5 | 10k+ | Output is not escaped | ||
| #4676 | Stancer for WooCommerce | 64 | 2 | 108 | 400 | Non-prefixed global variable | ||
| #4677 | Thumbnail Crop Position | 64 | 43 | 1 | 2k+ | Output is not escaped | ||
| #4678 | TP Show Product Images on Checkout Page for WooCommerce | 64 | 16 | 5 | 500 | Setting is missing a sanitization callback | ||
| #4679 | 64 | 27 | 23 | 9k+ | Missing Translators Comment | |||
| #4680 | WProofreader spell & grammar check plugin for WordPress | 64 | 12 | 43 | 4k+ | Non-prefixed global variable | ||
| #4681 | Werk aan de Muur | 64 | 48 | 20 | 900 | Non Singular String Literal Domain | ||
| #4682 | WP REST API Controller | 64 | 8 | 22 | 8k+ | Nonce verification recommended | ||
| #4683 | WP REST Cache | 64 | 11 | 113 | 10k+ | Direct Query | ||
| #4684 | WP Search with Algolia | 64 | 27 | 16 | 7k+ | Missing direct file access protection | ||
| #4685 | YaMaps for WordPress Plugin | 64 | 21 | 30 | 10k+ | Non-prefixed global variable | ||
| #4686 | Яндекс.ПДС Пингер / Yandex Site search pinger | 64 | 21 | 5 | 800 | Output is not escaped | ||
| #4687 | ACF: Sidebar Selector | 65 | 27 | 2 | 800 | Output is not escaped | ||
| #4688 | AI Provider for Google | 65 | 32 | 1 | 30k+ | Exception output is not escaped | ||
| #4689 | Authorizer | 65 | 3 | 54 | 5k+ | Nonce verification recommended | ||
| #4690 | Banner Upload | 65 | 36 | 4 | 500 | Output is not escaped | ||
| #4691 | Contact Form 7 – Success Page Redirects | 65 | 5 | 15 | 10k+ | Input is not sanitized | ||
| #4692 | Creta Testimonial Showcase | 65 | 28 | 41 | 3k+ | Non-prefixed global variable | ||
| #4693 | Custom Global Variables | 65 | 14 | 12 | 5k+ | Output is not escaped | ||
| #4694 | Custom Product Tabs for WooCommerce WP All Import Add-on | 65 | 18 | 18 | 1k+ | Non-prefixed global variable | ||
| #4695 | Custom Share Buttons with Floating Sidebar | 65 | 164 | 20 | 4k+ | Text Domain Mismatch | ||
| #4696 | Dashboard Directory Size | 65 | 32 | 9 | 400 | Missing Arg Domain | ||
| #4697 | Disable REST API | 65 | 12 | 15 | 80k+ | Output is not escaped | ||
| #4698 | Easy Twitter Feed Widget Plugin | 65 | 90 | 15 | 10k+ | Text Domain Mismatch | ||
| #4699 | Email Tracker | 65 | 25 | 4 | 800 | SQL query is not prepared | ||
| #4700 | Live Chat with Messenger Customer Chat | 65 | 10 | 23 | 3k+ | Input is not sanitized |