The easiest way is to place a constant in the index.php and check in the other php files if this constant exists. If not, let the script die.
index.php
define(‘APP’, true);
various.php
if(!defined(‘APP’)) die();
Reference :
https://stackoverflow.com/questions/17304979/protect-php-files-from-direct-access