The issue: Knowledge about paths and extensions makes it easier to exploit your system. Obscurity can be just an additional feature of your security concept The solution: Hide information Never have phpinfo() in your webroot. It exposes information about pathes, extensions and configuration. Turn off display_errors in your production environment. - Use log_errors instead. Changing default filetypes and disabling expose_php may help, too.