I went to my site earlier, to find it was spitting out raw PHP files, containing their source. I emailed my host straight away, who said they were recompiling PHP on the server. Obviously it left a massive security hole - and one I've never thought about before. I took my site offline, and checked the log files to see if anyone had accessed anything they shouldn't - luckily I was alright.

In the meantime, I've just added a 'FilesMatch' rule in .htaccess to stop anyone accessing any config files or .inc.php - which removes most of the risks.

But I was wondering if there was any rule I could add into my htaccess file to send a 403 if the MIME-type being sent to the browser is 'application/x-httpd-php' (i.e. the source hasn't been parsed), or if the PHP apache module isn't loaded?

Many thanks for any ideas!

Andy