missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4701 | Featured Galleries | 65 | 15 | 10 | 3k+ | Output is not escaped | ||
| #4702 | Genesis Visual Hook Guide | 65 | 13 | 14 | 700 | Nonce verification recommended | ||
| #4703 | WP All Import – Import SEO Settings for All In One SEO | 65 | 19 | 11 | 900 | Output is not escaped | ||
| #4704 | Integration for Elementor forms – Sendinblue | 65 | 94 | 56 | 7k+ | Text Domain Mismatch | ||
| #4705 | Bitrix24 | 65 | 28 | 10 | 500 | Text Domain Mismatch | ||
| #4706 | Multi Image Metabox | 65 | 17 | 8 | 6k+ | Output is not escaped | ||
| #4707 | MW WP Form reCAPTCHA | 65 | 11 | 14 | 2k+ | Input is not sanitized | ||
| #4708 | QR Code Composer – Automatic QR Code Generator | 65 | 33 | 2 | 3k+ | Output is not escaped | ||
| #4709 | Reading progressbar | 65 | 25 | 2 | 6k+ | Output is not escaped | ||
| #4710 | Redirect 404 to Home Page – Custom URL | 65 | 7 | 11 | 4k+ | Output is not escaped | ||
| #4711 | SocketLabs | 65 | 15 | 18 | 900 | Output is not escaped | ||
| #4712 | SQL Buddy – Database Management Made Easy | 65 | 12 | 16 | 5k+ | SQL query is not prepared | ||
| #4713 | T4B News Ticker – Responsive News Scroller, Slider, and Animations | 65 | 20 | 10 | 7k+ | Output is not escaped | ||
| #4714 | WebberZone Top 10 — Popular Posts | 65 | 37 | 179 | 10k+ | Database parameter is not escaped | ||
| #4715 | User Last Login | 65 | 27 | 5 | 600 | Output is not escaped | ||
| #4716 | Lime Connect (formerly Userlike) – WordPress Live Chat plugin | 65 | 22 | 3 | 900 | Output is not escaped | ||
| #4717 | Web and WooCommerce Addons for WPBakery Builder | 65 | 497 | 123 | 1k+ | Text Domain Mismatch | ||
| #4718 | Vf Expansion | 65 | 58 | 52 | 1k+ | Non-prefixed global variable | ||
| #4719 | VK Link Target Controller | 65 | 13 | 10 | 30k+ | Output is not escaped | ||
| #4720 | Websitescanner Custom Schema | 65 | 28 | 19 | 600 | wp function not compatible with requires wp | ||
| #4721 | Add to Cart Text Changer and Customize Button, Add Custom Icon | 65 | 87 | 18 | 2k+ | Text Domain Mismatch | ||
| #4722 | USPS Simple Shipping for Woocommerce | 65 | 20 | 11 | 8k+ | Exception output is not escaped | ||
| #4723 | Ajaxify Comments – Ajax and Lazy Loading Comments | 65 | 20 | 38 | 3k+ | Non-prefixed hook name | ||
| #4724 | WP Change Default From Email | 65 | 51 | 7 | 10k+ | Non Singular String Literal Domain | ||
| #4725 | WP-Farsi | 65 | 26 | 36 | 600 | Non-prefixed function | ||
| #4726 | WP Max Submit Protect | 65 | 19 | 12 | 400 | Output is not escaped | ||
| #4727 | WP SEO HTML Sitemap | 65 | 22 | 15 | 6k+ | Output is not escaped | ||
| #4728 | AC Advanced Flamingo Settings | 66 | 6 | 32 | 700 | Nonce verification recommended | ||
| #4729 | ACF RGBA Color Picker | 66 | 37 | 3 | 6k+ | Text Domain Mismatch | ||
| #4730 | ACF: Rus-To-Lat | 66 | 15 | 11 | 2k+ | Output is not escaped | ||
| #4731 | CP Media Player – Audio Player and Video Player | 66 | 224 | 48 | 3k+ | Text Domain Mismatch | ||
| #4732 | Password Reset with Code for WordPress REST API | 66 | 24 | 8 | 900 | Exception output is not escaped | ||
| #4733 | Black Ribbon | 66 | 29 | 5 | 500 | Output is not escaped | ||
| #4734 | Bopo – WooCommerce Product Bundle Builder | 66 | 137 | 135 | 1k+ | Text Domain Mismatch | ||
| #4735 | Bulk Term Generator – Import multiple tags, categories, and taxonomies easily | 66 | 8 | 31 | 2k+ | Request data is not unslashed | ||
| #4736 | Burst Statistics – Simple WordPress Analytics (Google Analytics Alternative) | 66 | 33 | 410 | 200k+ | Direct Query | ||
| #4737 | Social comments by WpDevArt | 66 | 9 | 19 | 8k+ | Missing Version | ||
| #4738 | Cookie Warning | 66 | 14 | 15 | 700 | Non-prefixed function | ||
| #4739 | Custom Author Byline | 66 | 11 | 8 | 500 | Output is not escaped | ||
| #4740 | Custom Login Page Templates – Change Logo, Background and CSS | 66 | 25 | 5 | 2k+ | Missing Arg Domain | ||
| #4741 | Custom Posts Per Page | 66 | 20 | 2 | 900 | Unsafe printing function | ||
| #4742 | Debug Log Manager – Conveniently Monitor and Inspect Errors | 66 | 33 | 44 | 10k+ | Input is not validated | ||
| #4743 | No Right Click, Content Copy Protection, Disable Right Click by RB | 66 | 23 | 2 | 600 | Unsafe printing function | ||
| #4744 | Duplicate Menu | 66 | 11 | 7 | 100k+ | Unsafe printing function | ||
| #4745 | Estatik Mortgage Calculator | 66 | 22 | 6 | 1k+ | Output is not escaped | ||
| #4746 | Export Categories | 66 | 22 | 13 | 1k+ | Output is not escaped | ||
| #4747 | FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration | 66 | 26 | 30 | 6k+ | Missing direct file access protection | ||
| #4748 | Font Size | 66 | 17 | 1 | 600 | Unsafe printing function | ||
| #4749 | Goaffpro Affiliate Marketing | 66 | 6 | 28 | 4k+ | Nonce verification recommended | ||
| #4750 | Hide Title | 66 | 13 | 6 | 30k+ | Output is not escaped |