I chose .htaccess with Order allow,deny
Deny from all
That’s make likely unaccessible. Anyway should you not prevent this by including such a .htaccess by default?
Furthermore, event by moving ./files to non accessible place, that means hackers can upload weird things like phtml event if they can’t use them right now.