Quick tip for securing your PHP includes, place them above your web-accessible root directory.
So for example, if you normally keep your includes in a web-accessible directory, such as:
Instead, move the files further up the directory structure so they’re not accessible from the Web, like so:
Then include them in your theme files via their full path:
<?php include_once('/var/includes/some-file.php'); ?>
Bada-bing, files included in this way are inaccessible from the World Wide Web.