Skip to content

Fix missing_direct_file_access_protection#760

Merged
kasparsd merged 18 commits intoWordPress:masterfrom
masteradhoc:patch-3
Feb 13, 2026
Merged

Fix missing_direct_file_access_protection#760
kasparsd merged 18 commits intoWordPress:masterfrom
masteradhoc:patch-3

Conversation

@masteradhoc
Copy link
Contributor

@masteradhoc masteradhoc commented Jan 30, 2026

Fixes #759

What?

Adds direct file access protection to plugin PHP files to prevent them from being executed outside of the WordPress runtime.

Why?

WordPress.org coding standards require plugin PHP files to block direct access when WordPress is not loaded. Learn more here

How?

The PR adds a standard abspath guard at the top of affected PHP files. This ensures the files exit early when accessed directly, while leaving normal WordPress execution completely unchanged. No functional or behavioral logic was modified.

Testing Instructions

  1. Install Plugin Check Plugin
  2. Choose Two Factor, Categories = "Plugin Repo" and Types = "Error" & "Warning"
  3. see results
  4. apply fix
  5. see results

Screenshots or screencast

Changelog Entry

Security - Added direct file access protection to plugin files to align with WordPress.org security guidelines.

@github-actions
Copy link

github-actions bot commented Jan 30, 2026
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>
Co-authored-by: georgestephanis <georgestephanis@git.wordpress.org>
Co-authored-by: kasparsd <kasparsd@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@jeffpaul jeffpaul requested a review from kasparsd February 2, 2026 22:10
@jeffpaul jeffpaul added this to the 0.15.0 milestone Feb 2, 2026
georgestephanis
georgestephanis reviewed Feb 12, 2026
View reviewed changes
Copy link
Collaborator

@georgestephanis georgestephanis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean, I guess.

I've just always personally disliked this sort of blanket check -- Core certainly doesn't do it in wp-includes php files -- but it also seems harmless to include, just extra noise.

Merge it in or leave it out, I don't have strong opinions here apart from a subtle distaste for it.

@kasparsd
Copy link
Collaborator

kasparsd commented Feb 13, 2026

As mentioned above, WP core also don't have them in classes and even in wp-config.php (which loads WP core) so I would suggest we don't add them. I'm OK with having it in the main plugin bootstrap file, though.

@kasparsd kasparsd merged commit 70eb07f into WordPress:master Feb 13, 2026
2 checks passed
@masteradhoc masteradhoc deleted the patch-3 branch February 13, 2026 09:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@georgestephanis georgestephanis georgestephanis left review comments

@kasparsd kasparsd kasparsd approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

0.15.0

Development

Successfully merging this pull request may close these issues.

Plugin Check: missing_direct_file_access_protection

4 participants

@masteradhoc @kasparsd @georgestephanis @jeffpaul