Anything which is in the htdocs directory of a website can be accessed directly. It’s up to the script developer to make sure that accessing those included files directly doesn’t expose any sensitive information.
A common way to do that is to define a constant in every file you want people to access directly, like so:
define('IN_SITE', true);
And in every included file, put the following at the start of the file:
if (!defined('IN_SITE") || !IN_SITE){
die('Forbidden');
}
That way, included files are only executed when they are included and are terminated immediately if accessed directly.