Common File Names
Placing your admin section in an /admin/ directory makes your application an easier target for cgi scanners. See Nikito
Also, using the standard names like .htpasswd makes scanning for these files easier (WACT).
Storing Sensitive Information
Store files which contain sensitive information, such as files containing database information, outside the web root. If using the ".inc" file extension convention, be sure that your web server either denies access to such files or parses those files as PHP, otherwise the file will be displayed as plaintext in the browser if a user views it.
Beware that your server denies access to file.inc?var=value and not just \.inc$. This can be done by inserting the folowing code into your .htaccess or server config (assuming your server is Apache):
<Location ~ "/[^ ](?=\.inc(\?[^ ]*)?)/"> Options None Order Allow, Deny Deny from All AllowOverride None Satisfy All </Location>
Revealing Source Code
PHP library files stored in the web root without the PHP extension (i.e. not as a file Apache will pass to the PHP interpreter), or showing PHP source code via the phps extension can compremise sensitive data and reveal targets for attack (WACT). Without source code, attackers are limited to black box probing. This is significantly more difficult, or at least time consuming, than having white box testing with the source code at hand.