missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4851 | WP Favicon | 68 | 25 | 9 | 500 | Non Singular String Literal Domain | ||
| #4852 | WP Smart Preloader | 68 | 27 | 10 | 5k+ | Output is not escaped | ||
| #4853 | Solid Mail – SMTP email and logging made by SolidWP | 68 | 16 | 17 | 60k+ | Database parameter is not escaped | ||
| #4854 | WP Theme Changelogs | 68 | 13 | 18 | 900 | Nonce verification recommended | ||
| #4855 | YaySwatches – Variation Swatches for WooCommerce | 68 | 281 | 14 | 1k+ | Text Domain Mismatch | ||
| #4856 | AdOpt | Easy Multi-Regulations Cookie Banner. | 69 | 22 | 27 | 7k+ | Missing direct file access protection | ||
| #4857 | Age Gate | 69 | 61 | 139 | 40k+ | Missing direct file access protection | ||
| #4858 | WP Wand – Unlimited Content Generation using AI – for OpenAI, Claude, Openrouter and Deepseek | 69 | 452 | 25 | 1k+ | Text Domain Mismatch | ||
| #4859 | Ambrosite Next/Previous Post Link Plus | 69 | 12 | 24 | 5k+ | Interpolated SQL is not prepared | ||
| #4860 | Auto Update Post Date | 69 | 11 | 23 | 1k+ | Input is not validated | ||
| #4861 | Bulk menu creator | 69 | 27 | 4 | 1k+ | Text Domain Mismatch | ||
| #4862 | CallRail Phone Call Tracking | 69 | 11 | 12 | 10k+ | Input is not validated | ||
| #4863 | Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons | 69 | 22 | 24 | 30k+ | Text Domain Mismatch | ||
| #4864 | Colorize Mobile Browser Address bar | 69 | 26 | 3 | 1k+ | Output is not escaped | ||
| #4865 | Contact Form 7 | 69 | 56 | 39 | 10m+ | Missing direct file access protection | ||
| #4866 | Contact Form 7: Accessible Defaults | 69 | 3 | 28 | 5k+ | Nonce verification recommended | ||
| #4867 | Custom Category Template | 69 | 13 | 8 | 2k+ | Missing Arg Domain | ||
| #4868 | Custom Login URL | 69 | 16 | 17 | 1k+ | Missing Arg Domain | ||
| #4869 | Dashboard Commander | 69 | 13 | 2 | 900 | Output is not escaped | ||
| #4870 | Debug Bar Rewrite Rules | 69 | 29 | 38 | 800 | Non-prefixed global variable | ||
| #4871 | Disable Users | 69 | 11 | 9 | 2k+ | Text Domain Mismatch | ||
| #4872 | ELEX WooCommerce Bulk Edit Products, Prices & Attributes (Basic) | 69 | 511 | 51 | 4k+ | Text Domain Mismatch | ||
| #4873 | ELEX WooCommerce Discount Per Payment Method | 69 | 60 | 39 | 1k+ | Text Domain Mismatch | ||
| #4874 | Email as Username for WP-Members | 69 | 15 | 8 | 700 | Text Domain Mismatch | ||
| #4875 | Embed Iframe | 69 | 25 | 6 | 2k+ | wp function not compatible with requires wp | ||
| #4876 | Google Plus Authorship | 69 | 6 | 15 | 1k+ | trademarked term | ||
| #4877 | Hand Talk | 69 | 34 | 4 | 400 | Output is not escaped | ||
| #4878 | HelpCrunch – Live Chat, Chatbot & Knowledge Base for Customer Service | 69 | 15 | 1 | 2k+ | Output is not escaped | ||
| #4879 | 简数采集器 | 69 | 5 | 25 | 1k+ | Request data is not unslashed | ||
| #4880 | Mailster WordPress Newsletter Plugin | 69 | 14 | 11 | 8k+ | Output is not escaped | ||
| #4881 | Gist All-In-One Marketing – Live Chat, Popups, Email | 69 | 24 | 11 | 500 | Output is not escaped | ||
| #4882 | Patterns Kit | 69 | 182 | 5 | 3k+ | Missing direct file access protection | ||
| #4883 | Payment Gateway for PhonePe and for Woocommerce | 69 | 15 | 14 | 900 | Non Singular String Literal Domain | ||
| #4884 | PDF.js Viewer | 69 | 14 | 38 | 20k+ | Non-prefixed global variable | ||
| #4885 | PrivacyBee – Datenschutz im Autopilot | 69 | 19 | 27 | 600 | Non-prefixed global variable | ||
| #4886 | Rename Taxonomies by WebMan | 69 | 32 | 7 | 1k+ | Missing Arg Domain | ||
| #4887 | Rife Extensions & Templates for Elementor | 69 | 22 | 7 | 20k+ | Output is not escaped | ||
| #4888 | Search by SKU for Woocommerce | 69 | 13 | 10 | 10k+ | Direct Query | ||
| #4889 | Search & Filter | 69 | 21 | 28 | 50k+ | Input is not sanitized | ||
| #4890 | Simple Login Lockdown | 69 | 13 | 6 | 4k+ | Output is not escaped | ||
| #4891 | Simple Mathjax | 69 | 29 | 3 | 4k+ | Short PHP open tag found | ||
| #4892 | Simple YouTube Embed | 69 | 11 | 11 | 5k+ | Nonce verification recommended | ||
| #4893 | SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) | 69 | 17 | 952 | 7k+ | Non-prefixed global variable | ||
| #4894 | TJ Custom CSS | 69 | 18 | 10 | 8k+ | Output is not escaped | ||
| #4895 | WP Disable Automatic Updates | 69 | 14 | 8 | 2k+ | Output is not escaped | ||
| #4896 | WP Mapa Politico España | 69 | 32 | 12 | 400 | Output is not escaped | ||
| #4897 | WP referrer spam blacklist (fight 2040+ Referrer Spammers in (Google/Matomo) Analytics) | 69 | 9 | 24 | 700 | Non-prefixed constant | ||
| #4898 | Add Widget After Content | 70 | 6 | 11 | 7k+ | Setting is missing a sanitization callback | ||
| #4899 | In-feed ads for Google AdSense | 70 | 20 | 20 | 6k+ | Non-prefixed global variable | ||
| #4900 | Ambrosite Next/Previous Page Link Plus | 70 | 11 | 21 | 900 | Interpolated SQL is not prepared |