This site uses third-party cookies, learn more or accept
dark light

PHP File Directory Layout Best Practices

Written by Max Pelic on
Update: the Jelly URL link shortener is live, be one of the first people to check it out!
For a limited time, get an exclusive discount by using the coupon code WEBSITE5OFF when you sign up for a free trial.

It's important to keep your PHP files secure. Here are a few good practices that you should stick to so your code can't be accessed by hackers or sketchy people.

Keep included files outside of the root directory

When laying out your file system, it's good practice to keep files you plan on including in other files in a separate, private directory. That way, people can't run those files individually and protects those files from attack.

For example, here's a great file structure:


2 secure.php
3 header.php
4 footer.php
5 etc...
7 index.php
8 etc...

Keep secrets out of the main files

Keep your API keys, database passwords, and all other sensitive information in files that aren't directly accessible by viewers. That way, if there's some sort of server error and one of your page's code is displayed for some reason, you don't have to worry about secrets being leaked (the file won't be included if the code is never run).

Turn off public access to secret files

If your site has an error log, visitor log, or any other file the public doesn't need to see, revoke global read permissions on that file. Most web hosts let you control access on individual files, and you can use that to add an added layer of security.


This is my mentality: keep as many secrets as you can in web development - the less information hackers can see, the less they can do to attack you.

Share this article:

Previous Article: Password Generator

Next Article: Password Generator #2