As a webmaster of several sites running on complex Content Management System solutions, I have regularly came accross the same issue: most CMS systems have some library directories which should be out of the reach of the random web visitor, yet they have to be on the same web-accessible location as the rest of the CMS. To top that, I also have the need to include some other private directories under the web server root, for example a downloads repository, just because PHP open_basedir restrictions won't let me do othewise. Is all lost, then? Is there no way to keep private directories really private?
Hardly so. All you have to do is use the marvelous Apache .htaccess magic. The easiest way to protect a directory is to put a file named .htaccess inside it, containing only these two lines:
order deny,allow deny from all
Honestly, that's all there is to it. If a web visitor tries to access this directory, he'll get an HTTP 403 error (access denied). Nice and clean!