Skip to content

False positive missing_direct_file_access_protection for class files containing require_once #1361

Description

@marekdedic

Description

PHP files that contain only a class definition and require_once statements (to load parent/dependency classes) are incorrectly flagged with missing_direct_file_access_protection. These files have no top-level executable code and are genuinely safe for direct access, so the error is a false positive.

Steps to reproduce

Create a PHP file in a plugin with only a require_once statement and a class definition:

<?php
require_once __DIR__ . '/class-parent.php';

class My_Class extends Parent_Class {
    // ...
}

Run wp plugin check <slug> — the file is flagged with missing_direct_file_access_protection.

Expected behaviour

No error. The file contains no executable code and is safe for direct access.

Actual behaviour

missing_direct_file_access_protection error is reported at line 0.

Disclaimer: Claude was used to investigate this and write the issue. I verified its outputs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions