I don't want my include and script files accessible via URL -- in fact, I am trying unsuccessfully to find some way to put them all outside the document root and away from any URL call. Even if I use forwards to other sub-directories with htaccess, I can't seem to find a way to move the files out of harms way -- from things like the opsusername.powweb.com url.

Is there a way to 'physically' have includes and scripts outside the document root and only call them from a few public facing scripts inside the document root?

HI bulwark,

Yes, you can do it. What I typically do is create a directory (ie: "my_hidden_includes") that sits at the same level as htdocs. This folder is not accessible via the browser, but your PHP or HTML code can reference the folder with a relative path (ie: "../my_hidden_includes/ )

Thanks. I've run some tests (with my limited knowledge) and directories equal to the htdocs level do appear protected from URL calls. I was thrown by the stats directory.