The issue: Knowledge about paths and extensions makes it easier to exploit your system.
- Obscurity can be just an additional feature of your security concept
The solution: Hide information
- Never have phpinfo() in your webroot. It exposes information about pathes, extensions and configuration.
- Turn off display_errors in your production environment. - Use log_errors instead.
- Changing default filetypes and disabling expose_php may help, too.