The most common method of restricting access to files on a web server is with an .htaccess file. While this obviously works, it is somewhat fragile: the entire protective strength of the technique relies on a string of characters in a text file.

A better technique is to lift the files and folders that you wish to protect completely free from the web root, placing them elsewhere on the server. This means that no outside HTTP request can ever touch them . It’s a technique often suggested by frameworks and Content Management Systems, and is much more secure, but it comes with three challenges:

  1. Not all web hosting providers allow you outside the root folder (which may be called www, htdocs, public, web or html, depending on the server setup).
  2. You cannot use the standard root path to the new, moved location of these files; you must use a server path instead (discussed below).
  3. This server path will be different for every hosting environment, depending on the operating system and host type.

The good news is that if your web hosting provider does allow you to roam free on the server, you can achieve this level of protection quickly.

First, let’s look at a typical web hosting setup. In this case, an Ubuntu LAMP stack at my preferred vendor, Digital Ocean: Screenshot of public site file organisation

As you can see, this hosting company gives me complete access to the server. The site files are contained in an html folder, which exists inside a www folder. In turn, these are contained in a var folder, along with many other directories.

All the publicly accessible files are in the html folder, while I desire certain files, such as PHP includes, database connection scripts and framework config files, to be inaccessible to normal users, while they remain available to the site itself.

Learning The Path

The first step is working out exactly where the html folder is on the server. While you might be able to work that out from the structure shown above, there’s one foolproof method, so long as your server is running PHP; create a quick test.php page containing a single line of code:

<?php echo __FILE__; ?>

Upload test.php to the public web folder (html, in this case) and view it in a browser using the complete URL:

The result, printed out on the page, will probably look something like this: /var/www/html/test.php

On a local testing server like MAMP, it might look like this: /Applications/MAMP/htdocs/test.php

Regardless of the details, you have the information you need: the actual location of this page on the server. Given that information, we can work “backwards” from the public location, to a new private folder we’ll create in the next step.

Before doing so, record the information reported by the page and delete test.php from the server.

Crafting A Location

Screenshot of private site file organisation

Now that we know the path, we can create a folder above the level of the public folder, aka the “web root”. In my case, I’ve decided to create a folder called includes. Into this will go any sensitive data that I don’t want revealed to eyes peering through a browser. For the purposes of demonstration, I’ve placed a file in the new folder.

Using The New Location

To use in a page, we must be slightly clever with paths. In the case of using on the server demonstrated here, I would use the following on a public page contained in the html folder:

<?php include ("/var/includes/") ?>

This allows me to use the include file without ever making it publicly available: a neat trick.

Enjoy this piece? I invite you to follow me at to learn more.