Without cooperation from the webserver the only way to protect your files is

• to encrypt them, in an archive, maybe, of which your script would know the password and tell no one – that will end up wasting cpu as the server will be decrypting it all the time, or

• to use an incredibly deranged file naming scheme, a file naming scheme you won’t ever describe to anyone, and that only your php script can sort trough.

Still data could be downloaded, bandwidth go to waste and encrypted files decrypted.

It all depends on how much that data matters. And how much your time costs, as these convoluted layers of somewhat penetrable obfuscation will likely eat huge chunks of developer time.

Now, as I said… that would be without cooperation from the webserver… but what if the webserver is cooperating and doesn’t know?

I’ve seen some apache webservers, (can anyone confirm it’s in the standard distribution?) for instance, come preloaded with a rule denying access to files starting with .ht, not only .htaccess but everything similar: .htproxy, .htcache, .htwhatever_comes_to_mind, .htyourmama...
Chances are your server could be one of those.

If that’s the case… rename your hidden files .hthidden-<filename1>,.hthidden-<filename2>... and you’ll get access to them only through php file functions, like readfile()