missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4901Comment Form CSRF Protection70710500Request data is not unslashed
#4902Lead info with country for Contact Form 77025283k+Text Domain Mismatch
#4903ConvertCalculator: Build Cost, Price, Quotation, ROI Interactive Calculators70912800Output is not escaped
#4904Custom Currency for WooCommerce706352k+Missing direct file access protection
#4905WebDefender Security – Protection & AntiSpam70176611k+wp function not compatible with requires wp
#4906Yoast Duplicate Post708884m+Nonce verification recommended
#4907Easy Hotel – Powerful Hotel Booking7041,900800Non-prefixed global variable
#4908Embed Code – Headers & Footers by DesignBombs701954k+Output is not escaped
#4909fitness calculators709425600Missing Arg Domain
#4910Ghost702512600Output is not escaped
#4911Xpro Slider For Beaver Builder – Lite7014713500Text Domain Mismatch
#4912Multipart robots.txt editor701981k+Output is not escaped
#4913onepay Payment Gateway For WooCommerce704913900Text Domain Mismatch
#4914Post Grid & Post Slider – Carousel, Filter Tabs & Related Posts706531k+Request data is not unslashed
#4915Press This701445k+Non-prefixed hook name
#4916Ridhi Companion703738500Non-prefixed global variable
#4917RSS Importer7014230k+Output is not escaped
#4918Search and Replace707910k+Input is not sanitized
#4919Show-Hide / Collapse-Expand70181510k+Missing direct file access protection
#4920Show IP address706201k+Input is not sanitized
#4921Simple Post Notes705169k+Request data is not unslashed
#4922Simple Site Verify70200900Output is not escaped
#4923Simple Sticky Header on Scroll70318900Output is not escaped
#4924Smart WYSIWYG Blocks Of Content703641k+Output is not escaped
#4925SQL Executioner7018172k+Non-prefixed global variable
#4926SubHeading7022131k+Non Singular String Literal Domain
#4927Support Me70126900Unsafe printing function
#4928Today's Date Inserter70321700Output is not escaped
#4929TP Product Image Flipper for WooCommerce7017159k+Non-prefixed function
#4930Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups.7031,4463k+Non-prefixed global variable
#4931Export Users With Meta7013132k+Direct Query
#4932User Location and IP70225400Input is not sanitized
#4933WEBKINDER Integration for Google Analytics and Google Tag Manager70152210k+Output is not escaped
#4934WP Calorie Calculator7022551k+Non-prefixed global variable
#4935Post Template701211400Missing nonce verification
#4936WPThumb70309800Output is not escaped
#4937Download Manager Addons for Elementor70272136k+Non Singular String Literal Domain
#4938Yampi Checkout70610900Nonce verification recommended
#4939aapanel WP Toolkit7120182k+wp function not compatible with requires wp
#4940Change Administrator Email Address71129700Output is not escaped
#4941Anant Addons for Elementor – Widgets, Templates & WooCommerce Builder7121207700Non-prefixed global variable
#4942Another Mailchimp Widget7128174k+Missing Translators Comment
#4943Bold Timeline Lite7122056110k+Non-prefixed global variable
#4944Bootstrap Shortcodes7121115k+Missing direct file access protection
#4945BuddyPress Default Data71821400Interpolated SQL is not prepared
#4946Social Chat Widget (⚡ by Callbell)71116600Output is not escaped
#4947Comfortable Reading711681k+Output is not escaped
#4948commonWP711833400Non-prefixed hook name
#4949Contact Form 7 Confirm Email Field7135112k+Text Domain Mismatch
#4950Meks Time Ago7122110k+Output is not escaped