i believe you are looking for an "internal rewrite", which you can accomplish using mod_rewrite directives.

Yes, this is done using mod_rewrite but I have no knowledge in this subject. I could only try what I found in various forums and blogs but nothing worked.
Is there anybody who can post the exact code?

another question springs to mind.

are you sure that by 'hiding' the filename and directory you are actually making the site more secure? - the page can still be reached and if a hacker gets access to the server they will be able to see all your files anyway.

Well, as far as I know, it is a good practice to hide all custom php files. That's recommended, for example, in the Joomla security guide. So I would prefer this file to be hidden. Because there are ways hackers can use php files without getting full access to the server but they should know the names of those files to do that.

block viewing files from the directory?

If this is a common WP/Drupal/Joomla .php file all these file names will be written into the bot script and executed to see if it exists. They only need to know the directory location to point the bot script. Masking the php file name will not stop the bot script and the returned info.

Not from the directory, from the URL in the browser's address bar. And this is not a common Joomla file but my custom script

It sounds as if you’re describing a perfectly normal rewrite, which people do all the time for all sorts of reasons. The formula is simply

RewriteRule ^visible-URL-here /hidden-URL-here [L]

Note two things: The target starts with / meaning your site root, and the only flag is [L] meaning “OK, we’re done”. If you’re dealing with mod_rewrite in htaccess, you can only rewrite to a file that physically lives on the same server. The rule should be placed after any and all RewriteRules that involve external redirects, access control and whatever else you've got. In particular, make sure it comes after your canonicalization redirect (if necessary, do a Forums search for several hundred explanations of what this is) so you don't accidentally expose your hidden URL to the world.

Most often, once people start rewriting, they make a visible URL that is either extensionless or ends in a / slash. Personally I’m fond of letting the visible URL end in some standard extension like html--matching the rest of the site--because then it is less obvious that you're rewriting.

also, if your hidden url is web-accessible, you should implement a 301 redirect from the internal url to the equivalent external url.

Thank you lucy24. This seems to be exactly what I need but it did not work. I think, I know why - having read some stuff on the Web, I've understood that what this redirect does is, each time a visitor accesses mysite.com/visible-URL-here this URL will be displayed in the address bar but the actual content displayed on the page will be from mysite.com/hidden-URL-here
But my situation is different. The page to be accessed is mysite.com/hidden-URL-here (and actually, visitors do not access it directly, it is called by another php script) but the visible URL should be mysite.com/hidden-URL-here.
In other words, if I've understood everything correctly, in your example the page content is replaced while the URL remains the same but what I need is that the URL is replaced while the page content remains the same.

The problem you are having with the URL masking appears to be because it is called by a script and is not requested by the visitor so .htaccess never 'sees' the request. PHP is processed server side before a page is loaded.

I've found how to do this with Java Script:
window.history.pushState("object or string", "Page Title", "/new_url.html");
This did just what I need

I would be surprised if Bad Actors have javascript active,
or even available (cite: curl, lynx, etc.)

what I need is that the URL is replaced while the page content remains the same

Then you need two separate rules. The first rule is an external redirect from
/hidden-url
to
https://example.com/visible-url
with the usual redirect flags and also a RewriteCond looking at THE_REQUEST so you don't go around in circles. The second--and, as far as your server is concerned, entirely unrelated--rule is the rewrite described above.

But why is your “hidden” url visible in the first place? Did someone goof at an earlier stage in the site's history? If nobody has ever seen it, and there are no links to it, the external redirect should not be necessary.