Using this stops everything accessing the files, even from my web site.
The URL is serviced through CloudFlare so I have tired using the original webhost address supplied by webhost of http://kids-books.000webhostapp.com/, I have even tried to use the ip address of both URL’s.
The .htaccess stops the directories being listed and this works fine.
But if I know the names of the php files I can enter them into a browser and run the file.
E.g. I have a file deleteUserAccount.php, this is called from my javascript using ajax, but I can also run it by simply calling it as a URL in any WEB browser :