Prevent direct access to a PHP file.

This is a guide on how to prevent a user from directly accessing a PHP include file in their browser. Certain include files may rely on external variables from other files. As a result, they could throw errors and provide sensitive system information if a user were to load them directly.

Deny access to all files in your include directory.

If your PHP include files are located in a particular directory, you can tell your web server to deny all access to it.


If you are using Apache, you can create a .htaccess file and place it in the directory in question. This .htaccess file should contain the following directives:

order deny,allow
deny from all

The above .htaccess file tells Apache to return a “403 Forbidden” response if somebody attempts to access the directory in question.


Unfortunately, Nginx does not support .htaccess files. As a result, you will need to edit your server block configuration file to contain the following:

location ~ /(includes|config) {
    deny all;
    return 403;

The location entry above tells Nginx to prevent web access to two directories called “includes” and “config”. If a user attempts to access these folders, they will be given a “403 Forbidden” error.

Obviously, you will need to modify the configuration above to match the directories that you want to block.

Using PHP.

If you don’t want to change server configuration values, then you can use a PHP-only approach. This involves defining a constant in your main script.


//Example CONSTANT called SITE_URL.
define('SITE_URL', '');

Then, at the top of your include files, you can check to see if the constant above has been defined:

//Check if CONSTANT called SITE_URL is defined.
if(!defined('SITE_URL')) {
    //Send 403 Forbidden response.
    header($_SERVER["SERVER_PROTOCOL"] . " 403 Forbidden");
    //Kill the script.

If the constant has not been defined, then we make the assumption that the include file is being accessed directly via the URL. As a result, we send a 403 Forbidden response and kill the script.

The drawback to this approach is that you will have to add the above check to the top of all of your include files. You will also have to make sure that the constant exists in the PHP scripts that are publicly accessible.

Place include files outside of the document root.

You can also place your PHP files outside of the document root of your web server. This will make them inaccessible via a HTTP URL.

The document root is typically called public_html, www or html, depending on your setup.

For example, your document root could be located at: /var/www/html/

Your includes folder could be located at: /var/www/includes/

If you have a file called functions.php in your includes folder and you want to include that file in your index.php file in the publicly-accessible document root folder, you could do this:

//Include the file outside of your Document Root.
include '../includes/function.php';

Hopefully, you found this guide useful!