Of your PHP files that are in your modules, you should only have class definitions and no dots - except for Ajax scripts (and again, you should only go through front or admin controllers). It is still recommended to prohibit access to all subdirectories containing PHP files or templates.
This is not mandatory, but just in case, add a .htaccess file in all of the following directories:
• /modules/mymodule/classes/
• /modules/mymodule/controllers/
• /modules/mymodule/install/
• /modules/mymodule/views/templates/
The content of the last directory (templates) is normally already protected by a .htaccess present in the PrestaShop modules folder which contains the following lines:
<FilesMatch "\.tpl$">
Deny from all
</FilesMatch>
This prohibits access to files ending with the .tpl extension.
If this security was not in place, it would then be possible to view the code of a template simply by entering its path.
Under these conditions, if the code of your templates has a security vulnerability, no doubt someone will discover it.
Apache and Nginx Setups
Some Apache (or Nginx, depending on what you're using) configurations disallow the use of .htaccess files. This is why the index.php files, which hide the presence of the files, are also important.