No one can see your php files. When the webserver gets a request for a PHP file, it runs the code and then delivers the *output* to the visitor's browser. The visitor can never see the original, un-processed file.

Sure, there are a ton of other potential security issues with PHP. For starters, if you have any form that accepts user input, someone might be able to hack into your files that way. Your question is kind of broad.

OK, that's a fair response. I'll try to be more specific...

What files are visible to the outside world over http? How do programs like FrontPage download an entire site? Do they just look for index.html and then follow links to get filenames or is there a way to get a "directory" of files using http?

Best way to protect your files in the directories is by disabling directory listing through a .htaccess file. However every file that’s somehow linked to the main page can be easily downloaded in html format (even sites w thousands of files) through softwares like WebCopier .

Let's back up: What files are you trying to protect and why? If you prevent access to, say, an index.html file, then no visitor can even see that file in a browser. As I said in my first post, the thing about PHP (or .pl, or .cgi) is that it provides output to the user while the user doesn't get to see the original code that produced that output.