hidden_files

Hidden files included

The plugin package contains hidden files or directories that usually should not ship in a WordPress.org release.

critical weight

Why It Shows Up

Plugin Check found dotfiles, hidden folders, or operating-system metadata in the plugin ZIP.

Why It Matters

Hidden files can leak development metadata, repository configuration, local tooling state, or unexpected content.

How to Fix

  • Exclude dotfiles and local metadata from the release build.
  • Build release ZIPs from a clean export or packaging script.
  • Keep only files required for the plugin to run, document itself, or provide distributed assets.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#801SrbTransLatin – Serbian Latinisation3511282k+Non-prefixed global variable
#802SSL Insecure Content Fixer352860100k+Input is not sanitized
#803Steady for WordPress35613600Non-prefixed global variable
#804Sticky Social Link354921k+Output is not escaped
#805SumUp Payment Gateway For WooCommerce35296210k+Nonce verification recommended
#806Super Cool Ad Inserter Plugin35225600Text Domain Mismatch
#807Svea Checkout for WooCommerce351872800Request data is not unslashed
#808SweepPress: Website Cleanup and Optimization3571176600Non-prefixed global variable
#809Table for Divi35522k+Hidden files included
#810Table Of Content Block – Auto-Generate Clickable Table of Contents35213k+Hidden files included
#811TailPress – Tailwind for WordPress352322500Output is not escaped
#812Tapfiliate353549400Nonce verification recommended
#813Taxonomy Checklist Tree3531400Hidden files included
#814Taxonomy CSV Import Export35530700Missing nonce verification
#815TBThemes Theme Import358448400Text Domain Mismatch
#816TC Custom JavaScript35192610k+Missing Version
#817Teamleader CRM Forms3515030500Non Singular String Literal Domain
#818Starter Sites & Templates by Neve352888100k+Non-prefixed hook name
#819Termageddon: Cookie Consent & Privacy Compliance3527137k+Exception output is not escaped
#820The Courier Guy Shipping for WooCommerce35571073k+Missing nonce verification
#821The Social Links3516292k+Non-prefixed global variable
#822theMarketer – Email marketing, Newsletters, Automation & Loyalty for Woocommerce35447700Nonce verification recommended
#823ThemeRain Core3569611k+Text Domain Mismatch
#824TikTok353122200k+Missing Arg Domain
#825TinyMCE Templates35412720k+Text Domain Mismatch
#826Tockify Events Calendar3535122k+Output is not escaped
#827Transcoder3542111400Non-prefixed function
#828uCalc35788600Text Domain Mismatch
#829Unagi3592900Missing direct file access protection
#830Under Construction3530600k+Hidden files included
#831Use Google Libraries3513510k+Hidden files included
#832UTM for Woocommerce35144900Output is not escaped
#833Vendi Abandoned Plugin Check351331k+trademarked term
#834Embed videos and respect privacy356112k+Non-prefixed global variable
#835Walls.io: Social Media Feed351071k+Hidden files included
#836WATI Chat and Notification3590600Missing direct file access protection
#837Wavy Divider35101700Hidden files included
#838WC Moneris Payment Gateway3510428900Text Domain Mismatch
#839Payphone – Payment Gateway Button35322k+Hidden files included
#840Deliver via Shipos for WooCommerce351178600Nonce verification recommended
#841Product Attributes Shortcode3534700Nonce verification recommended
#842Webflow Pages3536632k+Non Singular String Literal Domain
#843Converter for Media – Optimize images | Convert WebP & AVIF3513353500k+curl curl setopt
#844WEDOS OnLine monitoring353615700Output is not escaped
#845wePOS – Point Of Sale (POS) for WooCommerce & Dokan3547662k+Output is not escaped
#846What The File3591240k+Input is not sanitized
#847Which Elementor Addon35263500Text Domain Mismatch
#848Wild Apricot Login358830800Non Singular String Literal Domain
#849Open Graph and Twitter Card Tags35152750k+error log error log
#850Asaas Gateway for WooCommerce35121098k+Non-prefixed global variable