missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4751HiFi (Head Injection, Foot Injection)6613112k+Output is not escaped
#4752Free Property Valuation (Lead Generator) / Kostenlose Immobilienbewertung66115600Unsafe printing function
#4753LeadBack – Callback, Chatbot and Live Chat Widgets for WordPress sites66175600Unsafe printing function
#4754Leadpages6666210k+Direct Query
#4755Link Widget Title662254k+Output is not escaped
#4756Page Title Splitter662981k+wp function not compatible with requires wp
#4757Page Meta662614700Missing Arg Domain
#4758Product Code for WooCommerce6613541k+Missing direct file access protection
#4759Product Size Chart For WooCommerce669226k+Non-prefixed hook name
#4760Mailchimp Widget by ProteusThemes661791k+Output is not escaped
#4761Raw HTML66173510k+Non-prefixed function
#4762Safe Redirect Manager6696040k+Non-prefixed hook name
#4763Seed Fonts66291120k+Output is not escaped
#4764TAO Schedule Update6637112k+Text Domain Mismatch
#4765User Profile Picture66984k+Missing nonce verification
#4766Visual Link Preview6647210k+Output is not escaped
#4767Ajax add to cart for WooCommerce66673110k+Text Domain Mismatch
#4768Frenet Shipping Gateway for WooCommerce – Correios, Etiquetas e Rastreio6622314k+Non-prefixed global variable
#4769WooCommerce Accepted Payment Methods662842k+badly named files
#4770WP Simple Adsense Insertion663293k+Input is not validated
#4771WP Redis6611259k+Interpolated SQL is not prepared
#4772WP Scroll Depth662991k+Output is not escaped
#4773Video Popup for Elementor – WPTD6633131k+Output is not escaped
#4774Add Logo to Admin671436k+Unsafe printing function
#4775Address correction autocomplete for Woo671991k+Text Domain Mismatch
#4776Raptive Ads6734316k+Text Domain Mismatch
#4777Affiliates Manager Google reCAPTCHA Integration671810400Request data is not unslashed
#4778Awesome Contact Form7 for Elementor6720307k+Non-prefixed global variable
#4779Breadcrumbs Divi Module67443810k+Text Domain Mismatch
#4780Caddy – WooCommerce Side Cart & Free Shipping Bar67381993k+Non-prefixed global variable
#4781CCM19 Integration6714134k+Nonce verification recommended
#4782Custom CSS Pro671767k+Output is not escaped
#4783Custom Link Widget672801k+Output is not escaped
#4784Duplicate TEC Event671210900date date
#4785Dynamic Text Field For Contact Form 7672071k+Unsafe printing function
#4786Easy Media Replace6716141k+Output is not escaped
#4787Editoria11y Accessibility Checker6769551k+Text Domain Mismatch
#4788Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor67579810k+Non-prefixed global variable
#4789WordPress.com Editing Toolkit6752901k+Missing direct file access protection
#4790GravityExport Lite for Gravity Forms67481410k+Output is not escaped
#4791Hide Page And Post Title6711840k+Output is not escaped
#4792Mailster Gmail Integration6715131k+Missing Translators Comment
#4793Manage Upload Types67713400Output is not escaped
#4794Map Block Leaflet67527700Short PHP open tag found
#4795Meks Audio Player672571k+Output is not escaped
#4796MetaTag67713600Input is not validated
#4797Mosaic Gallery – Advanced Gallery6745793k+Non-prefixed global variable
#4798Mouse cursor customizer675381k+Missing nonce verification
#4799onOffice for WP-Websites6755071k+Non-prefixed global variable
#4800Per Page Sidebars671211900Input is not validated