lucy24 - 1:53 am on Jan 17, 2013 (gmt 0)
I actually had a couple php files which were not actually being used . They were originally placed on my server by my host for an email contact page but I didn't like how they worked so I stopped using them, but left the files. I have since deleted them. The contact page on my site has some form from www.jotform.com/ which I assume uses php.
Do not allow anything to exist on your site that you don't understand. If you are big, your employees count as "you". Part of their job is to understand the things you don't. Part of your own job is to figure out when "understand" must be taken literally and when it can mean "I've got a general idea what this line does but don't ask me what 'preg' stands for".
If you're using material from outside sources, make sure it's an established source with an impeccable reputation.
:: idly wondering how many sites got hacked via third-party counters back when those were fashionable ::
For htaccess, consider this: You can easily put a few lines in htaccess to lock yourself out. I do it all the time when testing code. So how do you get back in? By editing or replacing the htaccess. The block you put in place can't prevent this from happening; it only prevents you from visiting your site in a browser.
"When in doubt, don't" is probably a safe guideline.