missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4901 | Comment Form CSRF Protection | 70 | 7 | 10 | 500 | Request data is not unslashed | ||
| #4902 | Lead info with country for Contact Form 7 | 70 | 25 | 28 | 3k+ | Text Domain Mismatch | ||
| #4903 | ConvertCalculator: Build Cost, Price, Quotation, ROI Interactive Calculators | 70 | 9 | 12 | 800 | Output is not escaped | ||
| #4904 | Custom Currency for WooCommerce | 70 | 63 | 5 | 2k+ | Missing direct file access protection | ||
| #4905 | WebDefender Security – Protection & AntiSpam | 70 | 176 | 61 | 1k+ | wp function not compatible with requires wp | ||
| #4906 | Yoast Duplicate Post | 70 | 8 | 88 | 4m+ | Nonce verification recommended | ||
| #4907 | Easy Hotel – Powerful Hotel Booking | 70 | 4 | 1,900 | 800 | Non-prefixed global variable | ||
| #4908 | Embed Code – Headers & Footers by DesignBombs | 70 | 19 | 5 | 4k+ | Output is not escaped | ||
| #4909 | fitness calculators | 70 | 94 | 25 | 600 | Missing Arg Domain | ||
| #4910 | Ghost | 70 | 25 | 12 | 600 | Output is not escaped | ||
| #4911 | Xpro Slider For Beaver Builder – Lite | 70 | 147 | 13 | 500 | Text Domain Mismatch | ||
| #4912 | Multipart robots.txt editor | 70 | 19 | 8 | 1k+ | Output is not escaped | ||
| #4913 | onepay Payment Gateway For WooCommerce | 70 | 49 | 13 | 900 | Text Domain Mismatch | ||
| #4914 | Post Grid & Post Slider – Carousel, Filter Tabs & Related Posts | 70 | 6 | 53 | 1k+ | Request data is not unslashed | ||
| #4915 | Press This | 70 | 1 | 44 | 5k+ | Non-prefixed hook name | ||
| #4916 | Ridhi Companion | 70 | 37 | 38 | 500 | Non-prefixed global variable | ||
| #4917 | RSS Importer | 70 | 14 | 2 | 30k+ | Output is not escaped | ||
| #4918 | Search and Replace | 70 | 7 | 9 | 10k+ | Input is not sanitized | ||
| #4919 | Show-Hide / Collapse-Expand | 70 | 18 | 15 | 10k+ | Missing direct file access protection | ||
| #4920 | Show IP address | 70 | 6 | 20 | 1k+ | Input is not sanitized | ||
| #4921 | Simple Post Notes | 70 | 5 | 16 | 9k+ | Request data is not unslashed | ||
| #4922 | Simple Site Verify | 70 | 20 | 0 | 900 | Output is not escaped | ||
| #4923 | Simple Sticky Header on Scroll | 70 | 31 | 8 | 900 | Output is not escaped | ||
| #4924 | Smart WYSIWYG Blocks Of Content | 70 | 36 | 4 | 1k+ | Output is not escaped | ||
| #4925 | SQL Executioner | 70 | 18 | 17 | 2k+ | Non-prefixed global variable | ||
| #4926 | SubHeading | 70 | 22 | 13 | 1k+ | Non Singular String Literal Domain | ||
| #4927 | Support Me | 70 | 12 | 6 | 900 | Unsafe printing function | ||
| #4928 | Today's Date Inserter | 70 | 32 | 1 | 700 | Output is not escaped | ||
| #4929 | TP Product Image Flipper for WooCommerce | 70 | 17 | 15 | 9k+ | Non-prefixed function | ||
| #4930 | Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups. | 70 | 3 | 1,446 | 3k+ | Non-prefixed global variable | ||
| #4931 | Export Users With Meta | 70 | 13 | 13 | 2k+ | Direct Query | ||
| #4932 | User Location and IP | 70 | 2 | 25 | 400 | Input is not sanitized | ||
| #4933 | WEBKINDER Integration for Google Analytics and Google Tag Manager | 70 | 15 | 22 | 10k+ | Output is not escaped | ||
| #4934 | WP Calorie Calculator | 70 | 22 | 55 | 1k+ | Non-prefixed global variable | ||
| #4935 | Post Template | 70 | 12 | 11 | 400 | Missing nonce verification | ||
| #4936 | WPThumb | 70 | 30 | 9 | 800 | Output is not escaped | ||
| #4937 | Download Manager Addons for Elementor | 70 | 272 | 13 | 6k+ | Non Singular String Literal Domain | ||
| #4938 | Yampi Checkout | 70 | 6 | 10 | 900 | Nonce verification recommended | ||
| #4939 | aapanel WP Toolkit | 71 | 20 | 18 | 2k+ | wp function not compatible with requires wp | ||
| #4940 | Change Administrator Email Address | 71 | 12 | 9 | 700 | Output is not escaped | ||
| #4941 | Anant Addons for Elementor – Widgets, Templates & WooCommerce Builder | 71 | 21 | 207 | 700 | Non-prefixed global variable | ||
| #4942 | Another Mailchimp Widget | 71 | 28 | 17 | 4k+ | Missing Translators Comment | ||
| #4943 | Bold Timeline Lite | 71 | 220 | 561 | 10k+ | Non-prefixed global variable | ||
| #4944 | Bootstrap Shortcodes | 71 | 21 | 11 | 5k+ | Missing direct file access protection | ||
| #4945 | BuddyPress Default Data | 71 | 8 | 21 | 400 | Interpolated SQL is not prepared | ||
| #4946 | Social Chat Widget (⚡ by Callbell) | 71 | 11 | 6 | 600 | Output is not escaped | ||
| #4947 | Comfortable Reading | 71 | 16 | 8 | 1k+ | Output is not escaped | ||
| #4948 | commonWP | 71 | 18 | 33 | 400 | Non-prefixed hook name | ||
| #4949 | Contact Form 7 Confirm Email Field | 71 | 35 | 11 | 2k+ | Text Domain Mismatch | ||
| #4950 | Meks Time Ago | 71 | 22 | 1 | 10k+ | Output is not escaped |