Calling this via SSI is a protection, the user can't easly find the URL and the permssions on the site are set so once the script works it can not be called direcly from the browser but must be called within code.
That is the definition of unprotected.