PHP File Directory Layout Best Practices

It's important to keep your PHP files secure. Here are a few good practices that you should stick to so your code can't be accessed by hackers or sketchy people.

Written by Maxwell Pelic, May 7, 2019

It’s important to keep your PHP files secure. Here are a few good practices that you should stick to so your code can’t be accessed by hackers or sketchy people.

Keep included files outside of the root directory

When laying out your file system, it’s good practice to keep files you plan on including in other files in a separate, private directory. That way, people can’t run those files individually and protects those files from attack.

For example, here’s a great file structure:


includes/

   secure.php

   header.php

   footer.php

   etc...

public_html/

   index.php

   etc...

Keep secrets out of the main files

Keep your API keys, database passwords, and all other sensitive information in files that aren’t directly accessible by viewers. That way, if there’s some sort of server error and one of your page’s code is displayed for some reason, you don’t have to worry about secrets being leaked (the file won’t be included if the code is never run).

Turn off public access to secret files

If your site has an error log, visitor log, or any other file the public doesn’t need to see, revoke global read permissions on that file. Most web hosts let you control access on individual files, and you can use that to add an added layer of security.

…

This is my mentality: keep as many secrets as you can in web development - the less information hackers can see, the less they can do to attack you.