On a web site I maintain, there is a file called index.htm, which is the home page, and a bunch of other files (pages). One of them is a PHP script that is not referenced in any page. Only I know the name of the PHP script--as far as I know.

Is there any way for a casual visitor, even a computer-savvy visitor, to learn the name of this page? Of course, the name of the page could be *guessed*, but it would take a lot of guessing, because the name is in the form 9A8B7c6_D.PHP. And even then, I'm the only one who uses this PHP script--it is not used by any page on the site, and no one would think to look for it.

Still, I'd like to be reasonably certain that things are secure.

One way would be if your site allows anonymous FTP and that FTP allows access to that directory. Also, I think there are webserver settings that allow/disallow HTTP requests on a directory name to see a directory listing.

A quick security help would be to put the PHP file in a separate subdirectory, and make that subdirectory password protected (htaccess setting, I think? - my webhost provider has an automated tool for setting that up, so I'm not sure what the technical name is).

Or, since it's PHP, it would not be too hard to build some password protection into the script itself.

If you have access to httpd.conf (or you could probably do it via htaccess also) you can deny/allow access to a directory from a certain name or location or IP address only and reject connections from anything else. For example:

When I put PHPMyAdmin on my server (not that it's any use mind), I used httpd.conf to allow access to it from 'localhost' only. That way anyone using IP to try to use it simply gets rejected.

You could use all kinds of things. Secure cookies could be another method