Skip to content

Fix missing_direct_file_access_protection #760

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
masteradhoc wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Fix missing_direct_file_access_protection #760

masteradhoc wants to merge 10 commits into from
+36 −0

Conversation

@masteradhoc
Copy link
Contributor

@masteradhoc masteradhoc commented Jan 30, 2026

Fixes #759

What?

Adds direct file access protection to plugin PHP files to prevent them from being executed outside of the WordPress runtime.

Why?

WordPress.org coding standards require plugin PHP files to block direct access when WordPress is not loaded. Learn more here

How?

The PR adds a standard abspath guard at the top of affected PHP files. This ensures the files exit early when accessed directly, while leaving normal WordPress execution completely unchanged. No functional or behavioral logic was modified.

Testing Instructions

  1. Install Plugin Check Plugin
  2. Choose Two Factor, Categories = "Plugin Repo" and Types = "Error" & "Warning"
  3. see results
  4. apply fix
  5. see results

Screenshots or screencast

Changelog Entry

Security - Added direct file access protection to plugin files to align with WordPress.org security guidelines.

@github-actions
Copy link

github-actions bot commented Jan 30, 2026

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Plugin Check: missing_direct_file_access_protection

1 participant

@masteradhoc