missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4851WP Favicon68259500Non Singular String Literal Domain
#4852WP Smart Preloader6827105k+Output is not escaped
#4853Solid Mail – SMTP email and logging made by SolidWP68161760k+Database parameter is not escaped
#4854WP Theme Changelogs681318900Nonce verification recommended
#4855YaySwatches – Variation Swatches for WooCommerce68281141k+Text Domain Mismatch
#4856AdOpt | Easy Multi-Regulations Cookie Banner.6922277k+Missing direct file access protection
#4857Age Gate696113940k+Missing direct file access protection
#4858WP Wand – Unlimited Content Generation using AI – for OpenAI, Claude, Openrouter and Deepseek69452251k+Text Domain Mismatch
#4859Ambrosite Next/Previous Post Link Plus6912245k+Interpolated SQL is not prepared
#4860Auto Update Post Date6911231k+Input is not validated
#4861Bulk menu creator692741k+Text Domain Mismatch
#4862CallRail Phone Call Tracking69111210k+Input is not validated
#4863Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons69222430k+Text Domain Mismatch
#4864Colorize Mobile Browser Address bar692631k+Output is not escaped
#4865Contact Form 769563910m+Missing direct file access protection
#4866Contact Form 7: Accessible Defaults693285k+Nonce verification recommended
#4867Custom Category Template691382k+Missing Arg Domain
#4868Custom Login URL6916171k+Missing Arg Domain
#4869Dashboard Commander69132900Output is not escaped
#4870Debug Bar Rewrite Rules692938800Non-prefixed global variable
#4871Disable Users691192k+Text Domain Mismatch
#4872ELEX WooCommerce Bulk Edit Products, Prices & Attributes (Basic)69511514k+Text Domain Mismatch
#4873ELEX WooCommerce Discount Per Payment Method6960391k+Text Domain Mismatch
#4874Email as Username for WP-Members69158700Text Domain Mismatch
#4875Embed Iframe692562k+wp function not compatible with requires wp
#4876Google Plus Authorship696151k+trademarked term
#4877Hand Talk69344400Output is not escaped
#4878HelpCrunch – Live Chat, Chatbot & Knowledge Base for Customer Service691512k+Output is not escaped
#4879简数采集器695251k+Request data is not unslashed
#4880Mailster WordPress Newsletter Plugin6914118k+Output is not escaped
#4881Gist All-In-One Marketing – Live Chat, Popups, Email692411500Output is not escaped
#4882Patterns Kit6918253k+Missing direct file access protection
#4883Payment Gateway for PhonePe and for Woocommerce691514900Non Singular String Literal Domain
#4884PDF.js Viewer69143820k+Non-prefixed global variable
#4885PrivacyBee – Datenschutz im Autopilot691927600Non-prefixed global variable
#4886Rename Taxonomies by WebMan693271k+Missing Arg Domain
#4887Rife Extensions & Templates for Elementor6922720k+Output is not escaped
#4888Search by SKU for Woocommerce69131010k+Direct Query
#4889Search & Filter69212850k+Input is not sanitized
#4890Simple Login Lockdown691364k+Output is not escaped
#4891Simple Mathjax692934k+Short PHP open tag found
#4892Simple YouTube Embed6911115k+Nonce verification recommended
#4893SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels)69179527k+Non-prefixed global variable
#4894TJ Custom CSS6918108k+Output is not escaped
#4895WP Disable Automatic Updates691482k+Output is not escaped
#4896WP Mapa Politico España693212400Output is not escaped
#4897WP referrer spam blacklist (fight 2040+ Referrer Spammers in (Google/Matomo) Analytics)69924700Non-prefixed constant
#4898Add Widget After Content706117k+Setting is missing a sanitization callback
#4899In-feed ads for Google AdSense7020206k+Non-prefixed global variable
#4900Ambrosite Next/Previous Page Link Plus701121900Interpolated SQL is not prepared