If you absolutely cannot separate out the public portion of the application from the core -- which should be possible because even the worst shared hosts allow for folders above public_html -- then you'll need to use a PHP solution for protection the files. For example if you define a constant in index.php and then check for that constant in included files you can prevent access, eg:
defined('BASEPATH') OR exit('No direct script access allowed');
You are right again. But I will complicate the installation.
The PHP files are secure, they are classes ore arrays.
if you execute them nothing happens. We have an .htaccess file in core applications folder. The .htacces file rejects all requests.
We would provide security tips also for nginx users.
Just to repeat all files except index.php are classes ore arrays
and and they don't execute any code.
