hidden_files
Hidden files included
The plugin package contains hidden files or directories that usually should not ship in a WordPress.org release.
Why It Shows Up
Plugin Check found dotfiles, hidden folders, or operating-system metadata in the plugin ZIP.
Why It Matters
Hidden files can leak development metadata, repository configuration, local tooling state, or unexpected content.
How to Fix
- Exclude dotfiles and local metadata from the release build.
- Build release ZIPs from a clean export or packaging script.
- Keep only files required for the plugin to run, document itself, or provide distributed assets.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #251 | Laposta Signup Basic | 28 | 275 | 66 | 2k+ | Output is not escaped | |
| #252 | Loginfy – Custom Login Page Customizer | 28 | 338 | 398 | 2k+ | Output is not escaped | |
| #253 | Podcast Importer SecondLine | 28 | 356 | 169 | 4k+ | Text Domain Mismatch | |
| #254 | Redis Object Cache | 28 | 151 | 103 | 400k+ | Exception output is not escaped | |
| #255 | Brilliant Web-to-Lead for Salesforce | 28 | 247 | 244 | 2k+ | Text Domain Mismatch | |
| #256 | Praison AI SEO | 28 | 643 | 306 | 1k+ | Text Domain Mismatch | |
| #257 | Transliterator – Multilingual and Multi-script Text Conversion | 28 | 305 | 320 | 3k+ | Output is not escaped | |
| #258 | Connect Matomo – Analytics Dashboard for WordPress | 28 | 100 | 102 | 60k+ | Missing Translators Comment | |
| #259 | AI Copilot – Content Generator | 29 | 166 | 161 | 1k+ | wp function not compatible with requires wp | |
| #260 | Plugin BlueX for WooCommerce | 29 | 431 | 216 | 2k+ | Text Domain Mismatch | |
| #261 | CloudSecure WP Security | 29 | 74 | 350 | 100k+ | Request data is not unslashed | |
| #262 | Document Gallery | 29 | 183 | 98 | 8k+ | Output is not escaped | |
| #263 | Kits, Templates and Patterns | 29 | 380 | 91 | 5k+ | Text Domain Mismatch | |
| #264 | PhastPress | 29 | 95 | 52 | 10k+ | Exception output is not escaped | |
| #265 | Recipe Card Blocks Lite | 29 | 151 | 408 | 10k+ | Non-prefixed global variable | |
| #266 | Security Ninja – WordPress Security & Firewall | 29 | 149 | 347 | 7k+ | Direct Query | |
| #267 | Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce | 29 | 146 | 246 | 5k+ | Unsafe printing function | |
| #268 | Product Carousel Slider & Grid Ultimate for WooCommerce | 29 | 719 | 122 | 6k+ | Text Domain Mismatch | |
| #269 | Woostify Sites Library | 29 | 229 | 198 | 20k+ | Text Domain Mismatch | |
| #270 | WP Subscribe | 29 | 79 | 79 | 8k+ | Non-prefixed class | |
| #271 | ApplyOnline – Application Form Builder and Manager | 30 | 354 | 260 | 2k+ | Output is not escaped | |
| #272 | Contact Form 7 – PayPal & Stripe Add-on | 30 | 385 | 233 | 8k+ | Unsafe printing function | |
| #273 | Kargo Takip, Kargo SMS, İlçe Mahalle Sözleşme by Hezarfen | 30 | 69 | 276 | 2k+ | Non-prefixed global variable | |
| #274 | Laposta Signup Embed | 30 | 88 | 19 | 1k+ | Exception output is not escaped | |
| #275 | Mailrelay | 30 | 318 | 170 | 2k+ | Text Domain Mismatch | |
| #276 | Dropify | 30 | 130 | 252 | 2k+ | Nonce verification recommended | |
| #277 | zahls.ch Credit Cards, PostFinance and TWINT for WooCommerce | 30 | 121 | 265 | 3k+ | Non-prefixed global variable | |
| #278 | ActiveCampaign – The autonomous marketing platform | 31 | 235 | 98 | 40k+ | Output is not escaped | |
| #279 | All-in-one contact buttons – WPSHARE247 | 31 | 108 | 113 | 4k+ | Non-prefixed global variable | |
| #280 | Titan Anti-spam & Security – Brute Force Protection, 2FA & Spam Filter | 31 | 57 | 196 | 50k+ | Nonce verification recommended | |
| #281 | Mailgun for WordPress | 31 | 144 | 78 | 80k+ | Unsafe printing function | |
| #282 | reCAPTCHA in WP comments form | 31 | 264 | 60 | 8k+ | Output is not escaped | |
| #283 | SmartBill Facturare si Gestiune | 31 | 421 | 164 | 5k+ | Text Domain Mismatch | |
| #284 | Staatic – Static Site Generator for WordPress | 31 | 420 | 195 | 2k+ | SQL query is not prepared | |
| #285 | WPGatsby | 31 | 125 | 55 | 3k+ | Text Domain Mismatch | |
| #286 | WP Simple Booking Calendar | 31 | 337 | 381 | 20k+ | Output is not escaped | |
| #287 | Admin Menu Editor | 32 | 159 | 233 | 300k+ | Non-prefixed global variable | |
| #288 | BP Classic | 32 | 664 | 216 | 6k+ | Unsafe printing function | |
| #289 | OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. | 32 | 211 | 64 | 300k+ | Output is not escaped | |
| #290 | Post and Page Builder by BoldGrid – Visual Drag and Drop Editor | 32 | 348 | 258 | 50k+ | Output is not escaped | |
| #291 | Simple Ajax Chat – Add a Fast, Secure Chat Box | 32 | 108 | 266 | 2k+ | Output is not escaped | |
| #292 | Subscribe2 – Form, Email Subscribers & Newsletters | 32 | 32 | 410 | 10k+ | Direct Query | |
| #293 | WP fail2ban – Advanced Security | 32 | 75 | 153 | 60k+ | Dynamic hook name | |
| #294 | Arconix Shortcodes | 33 | 129 | 107 | 4k+ | Output is not escaped | |
| #295 | CartPops – High Converting Add To Cart Popup For WooCommerce | 33 | 63 | 188 | 4k+ | Non-prefixed global variable | |
| #296 | Conekta Payment Gateway | 33 | 240 | 61 | 2k+ | Text Domain Mismatch | |
| #297 | GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice for CCPA, EU Cookie Law | 33 | 48 | 370 | 300k+ | Non-prefixed global variable | |
| #298 | WPZOOM Social Feed Widget & Block | 33 | 310 | 278 | 60k+ | Unsafe printing function | |
| #299 | jQuery Manager for WordPress | 33 | 86 | 24 | 7k+ | Output is not escaped | |
| #300 | Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid | 33 | 274 | 106 | 3k+ | Text Domain Mismatch |
