The safest way is to put the files you want kept to yourself outside of the web root directory, like Damien suggested. This works because the web server follows local file system privileges, not its own privileges.

最安全的方法是将您想要保留的文件放在 Web 根目录之外，就像 Damien 建议的那样。这是有效的，因为 Web 服务器遵循本地文件系统权限，而不是它自己的权限。

However, there are a lot of hosting companies that only give you access to the web root. To still prevent HTTP requests to the files, put them into a directory by themselves with a .htaccess file that blocks all communication. For example,

但是，有很多托管公司只允许您访问 Web 根目录。要仍然阻止对文件的 HTTP 请求，请将它们单独放入一个目录中，并使用阻止所有通信的 .htaccess 文件。例如，

Order deny,allow
Deny from all

Your web server, and therefore your server side language, will still be able to read them because the directory's local permissions allow the web server to read and execute the files.

您的 Web 服务器以及您的服务器端语言仍将能够读取它们，因为目录的本地权限允许 Web 服务器读取和执行文件。

That is how I prevented direct access from URL to my ini files. Paste the following code in .htaccessfile on root. (no need to create extra folder)

这就是我阻止从 URL 直接访问我的 ini 文件的方式。将以下代码粘贴到.htaccessroot 上的文件中。（无需创建额外的文件夹）

<Files ~ "\.ini$">
  Order allow,deny
  Deny from all
</Files>

my settings.inifile is on the root, and without this code is accessible www.mydomain.com/settings.ini

我的settings.ini文件在根目录下，没有这个代码就可以访问 www.mydomain.com/settings.ini

in httpd.conf to block browser & wget access to include files especially say db.inc or config.inc . Note you cannot chain file types in the directive instead create multiple file directives.

在 httpd.conf 中阻止浏览器和 wget 访问以包含文件，尤其是 db.inc 或 config.inc 。请注意，您不能在指令中链接文件类型，而是创建多个文件指令。

<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>

to test your config before restarting apache

在重新启动 apache 之前测试您的配置

service httpd configtest

then (graceful restart)

然后（正常重启）

service httpd graceful

Are the files on the same server as the PHP script? If so, just keep the files out of the web root and make sure your PHP script has read permissions for wherever they're stored.

这些文件是否与 PHP 脚本在同一台服务器上？如果是这样，只需将文件保留在 Web 根目录之外，并确保您的 PHP 脚本对存储它们的任何位置都具有读取权限。

If you have access to you httpd.conf file (in ubuntu it is in the /etc/apache2 directory), you should add the same lines that you would to the .htaccessfile in the specific directory. That is (for example):

如果您有权访问您的 httpd.conf 文件（在 ubuntu 中它位于 /etc/apache2 目录中），您应该添加与.htaccess特定目录中的文件相同的行。即（例如）：

ServerName YOURSERVERNAMEHERE
<Directory /var/www/>
AllowOverride None
order deny,allow
Options -Indexes FollowSymLinks
</Directory>

Do this for every directory that you want to control the information, and you will have one file in one spot to manage all access. It the example above, I did it for the root directory, /var/www.

对要控制信息的每个目录执行此操作，您将在一个位置拥有一个文件来管理所有访问。在上面的例子中，我是在根目录 /var/www 上做的。

This option may not be available with outsourced hosting, especially shared hosting. But it is a better option than adding many .htaccessfiles.

此选项可能不适用于外包托管，尤其是共享托管。但这是比添加许多.htaccess文件更好的选择。

To prevent .ini files from web access put the following into apache2.conf

为了防止 .ini 文件被 Web 访问，请将以下内容放入 apache2.conf

<Files ~ "\.ini$">
Order allow,deny
Deny from all
</Files>

How about custom module based .htaccess script (like its used in CodeIgniter)? I tried and it worked good in CodeIgniter apps. Any ideas to use it on other apps?

基于自定义模块的 .htaccess 脚本（就像它在 CodeIgniter 中使用的一样）怎么样？我尝试过，它在 CodeIgniter 应用程序中运行良好。有什么想法可以在其他应用程序上使用它吗？

<IfModule authz_core_module>
    Require all denied
</IfModule>
<IfModule !authz_core_module>
    Deny from all
</IfModule>