missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4701Featured Galleries6515103k+Output is not escaped
#4702Genesis Visual Hook Guide651314700Nonce verification recommended
#4703WP All Import – Import SEO Settings for All In One SEO651911900Output is not escaped
#4704Integration for Elementor forms – Sendinblue6594567k+Text Domain Mismatch
#4705Bitrix24652810500Text Domain Mismatch
#4706Multi Image Metabox651786k+Output is not escaped
#4707MW WP Form reCAPTCHA6511142k+Input is not sanitized
#4708QR Code Composer – Automatic QR Code Generator653323k+Output is not escaped
#4709Reading progressbar652526k+Output is not escaped
#4710Redirect 404 to Home Page – Custom URL657114k+Output is not escaped
#4711SocketLabs651518900Output is not escaped
#4712SQL Buddy – Database Management Made Easy6512165k+SQL query is not prepared
#4713T4B News Ticker – Responsive News Scroller, Slider, and Animations6520107k+Output is not escaped
#4714WebberZone Top 10 — Popular Posts653717910k+Database parameter is not escaped
#4715User Last Login65275600Output is not escaped
#4716Lime Connect (formerly Userlike) – WordPress Live Chat plugin65223900Output is not escaped
#4717Web and WooCommerce Addons for WPBakery Builder654971231k+Text Domain Mismatch
#4718Vf Expansion6558521k+Non-prefixed global variable
#4719VK Link Target Controller65131030k+Output is not escaped
#4720Websitescanner Custom Schema652819600wp function not compatible with requires wp
#4721Add to Cart Text Changer and Customize Button, Add Custom Icon6587182k+Text Domain Mismatch
#4722USPS Simple Shipping for Woocommerce6520118k+Exception output is not escaped
#4723Ajaxify Comments – Ajax and Lazy Loading Comments6520383k+Non-prefixed hook name
#4724WP Change Default From Email6551710k+Non Singular String Literal Domain
#4725WP-Farsi652636600Non-prefixed function
#4726WP Max Submit Protect651912400Output is not escaped
#4727WP SEO HTML Sitemap6522156k+Output is not escaped
#4728AC Advanced Flamingo Settings66632700Nonce verification recommended
#4729ACF RGBA Color Picker663736k+Text Domain Mismatch
#4730ACF: Rus-To-Lat6615112k+Output is not escaped
#4731CP Media Player – Audio Player and Video Player66224483k+Text Domain Mismatch
#4732Password Reset with Code for WordPress REST API66248900Exception output is not escaped
#4733Black Ribbon66295500Output is not escaped
#4734Bopo – WooCommerce Product Bundle Builder661371351k+Text Domain Mismatch
#4735Bulk Term Generator – Import multiple tags, categories, and taxonomies easily668312k+Request data is not unslashed
#4736Burst Statistics – Simple WordPress Analytics (Google Analytics Alternative)6633410200k+Direct Query
#4737Social comments by WpDevArt669198k+Missing Version
#4738Cookie Warning661415700Non-prefixed function
#4739Custom Author Byline66118500Output is not escaped
#4740Custom Login Page Templates – Change Logo, Background and CSS662552k+Missing Arg Domain
#4741Custom Posts Per Page66202900Unsafe printing function
#4742Debug Log Manager – Conveniently Monitor and Inspect Errors66334410k+Input is not validated
#4743No Right Click, Content Copy Protection, Disable Right Click by RB66232600Unsafe printing function
#4744Duplicate Menu66117100k+Unsafe printing function
#4745Estatik Mortgage Calculator662261k+Output is not escaped
#4746Export Categories6622131k+Output is not escaped
#4747FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration6626306k+Missing direct file access protection
#4748Font Size66171600Unsafe printing function
#4749Goaffpro Affiliate Marketing666284k+Nonce verification recommended
#4750Hide Title6613630k+Output is not escaped