One Reason Why Drupal is Not So Secure

I am quite surprised that one of the "most secure" content management systems uses the .inc extension for include files in some places.  The problem with this is that if someone knew the path to the .inc file and pulled it up directly in the browser, the code would be revealed to the user.  Since .inc files are not parsed by the PHP engine before displaying, all the text within it is displayed. Every file that has PHP code in it should be given a .php extension, or your server should be configured to parse alternate extensions if you plan to use .inc for include files.