Where Are Your PHP Includes?
Do not store your PHP includes in document root. This is a terrible practice. Here is just one reason why:
Don't recommend naming PHP includes with a .php extension. Don't recommend including code in PHP includes that prevents direct requests. Don't recommend the following for denying requests for .inc resources:
Order allow,deny Deny from all
The problem is not that these techniques are bad, but rather than they are neither optimal nor sufficient. If you employ these techniques, do so only to adhere to the principle of defense in depth. If you're only going to implement one safeguard, choose the best one.
Do not store your PHP includes in document root. There are no exceptions. There are no excuses.