Plugins files are accessed directly. Is it a security flaw?

Hello,

My wordpress self-hosted site was defaced 3 times in one month and since then I’m paying a lot more attention to security (watching error logs, hashing files and watching if they change, added modified 5G Blacklist in .htaccess, etc.).

I have seen that some plugins, although they are not activated, get accessed.
For instance I could see in the error logs that someone tried to run [domain_name]/wp-content/plugins/wp-greet-box/includes/admin/custom-edit-form.php
and got a php error:
Fatal error: Using $this when not in object context in /[path_to_domain]/wp-content/plugins/wp-greet-box/includes/admin/custom-edit-form.php on line 2

If you google for /wp-content/plugins/wp-greet-box/includes/admin/custom-edit-form.php on line 2 you’ll see that there are lots of results with this one.

But it is just an example, there are also others php files from plugins that are run by path.

I have a question: providing that there could be lots of php files in plugins that can run who-knows-what and the users cannot verify them by hand (too many/complex + most users do install-activate-configure), is this not a security problem?

Can there be something done that files cannot be run by knowing the filepath?

Thanks,
F.