Well, “public_html” is just that: public. It has to be readable so that people can actually see your blog.
However, individual files within that folder can have different permissions. For example, when I try to view my own .htaccess file, I get this message:
Access forbidden!
You don’t have permission to access the requested object. It is either read-protected or not readable by the server.
If you think this is a server error, please contact the webmaster.
Error 403
php files generate static html files, so anyone trying to access it will only get the html that it generates. They will not be able to get to the actual file itself. When I try to view my own wp-config.php file, it just displays a blank screen, because that page doesn’t generate any html.
Of course, anyone with a little knowledge and access to Google can figure out how to hack a site and get at that information. That’s why you have to take steps to protect your WordPress installation. But with regard to the files you’ve mentioned above, no they are not accessible through a web browser.
