We've talked a lot about always adding the defined('_JEXEC') or die statement at the top of all your PHP files, which prevents direct execution of the PHP files and only allows them to run via Joomla!. If you leave this out, it can lead to path disclosure vulnerabilities, which are basically error messages on your site that tell the hacker details about your website such as the full path of the files on the web server. This may give the hacker information such as the username of your account with your hosting company, which is often used when logging into CPanel or connecting to the site via FTP.

We can easily simulate this by editing clicktocall.php under /plugins/content/clicktocall and removing the defined('_JEXEC') or die