In a hosted website, you usually get something like this for a folder structure
webroot
|__ public_html
|__ cgi_scripts
|__ more folders
You put you web pages and php scripts (that generate web pages) in the public_html folder. These pags are displayed in the root of your website www.mydomain.com
You put the files you want to keep secure in cgi_scripts folder. This folder can't be displayed by a web address. It's "outside the web tree".
But, in a php script in your webroot (public_html) you can read a file from the secure area like this
<?php
include ..\cgi_scripts\secure_file.inc;
..
..
Any variables, like database credentials, read in the included file are avaialable for use in the script, but the file itself can't be called or read directly from the web.
Do see where I'm coming from?
Good luck,
Barry.