A safe technique is for directory indentation.
We can also work with other techniques such as defining a constant or the access permission rules for a public folder.
This feature depends on the page server you use.
I consider directory backing safer because it protects both the client side and the server side.
To better understand, imagine a situation where the site owner has access to FTP. But you do not want this guy to have access to system codes. It is recommended not to leave the system as open even to the owner, especially when it is a layman, because fatally one day the subject will tamper with the codes, causing bugs or something more serious.
How to do directory retreat?
In the public folder would have only the index.php file.
In this index.php file, you make an include in a file in a private folder.
Structure example.
/var/www/website.foo/public
/var/www/website.foo/app
/var/www/website.foo/logs
In the example above, the root directory is /var/www/website.foo/public
The index.php file would be inside this directory /var/www/website.foo/public/index.php
All other system .php files, put out the public folder.
/var/www/website.foo/app/foo.php
/var/www/website.foo/app/bar.php
Because this directory is not publicly accessible, you are safe. However, a third person with server access via FTP or SSH can still access the files.
If you want to enforce security, do not give SSH or FTP access to this directory for unauthorized persons.
For the client who wants to have FTP access, release it to access only from the public directory.
The client is still at risk of running php scripts inside the public folder.
For these cases, you can also block PHP scripts from running on the public folder. The problem is that index.php would no longer work.
One solution to this is to create a symbolic link where even the index.php could stay outside the public folder.
In this way we have all files, including index.php, protected both from the visitor and the FTP user.
On Linux systems, the symbolic link can be made as follows:
ln -s "/var/www/website.foo/app/index.php" "/var/www/website.foo/public/index.php"
In Windows environment:
mklink /j "c:\www\website.foo\app\index.php" "c:\www\website.foo\public\index.php"
An obstacle to the use of directory retreat or symbolic link is when the system runs in an environment where we are not allowed to run command lines, and in many cases where it is not even possible to do directory retreat. This situation is common in shared hosting with outdated structure.