If your application runs on a shared server then you will significantly increase the risk of an attacker gaining direct access - it’s not unknown for shared servers to be exploited. If you’re running on a dedicated server then felgall’s post above makes sense; whilst a dedicated can still be compromised, the actions needed to do so are more involved.
Except that here you don’t have an alarm system and the thief can exit at anytime.
But, you may create a system (let’s say it’s an “Alarm system”) that tracks changes of your executable files (.sh, .php, .inc and others) and make a system that denies the changes (reverts the file instantly) by some algorithm. This must be created outside PHP, from UNIX (or whatever) because we assume the OS cannot be compromised. You may also create such a system from PHP, but it will cost you lots of resources.
Yes, I place all my code above the public_html. The pages in the public_html only have a few include statements. At the top of the page one include to kick start the script and in the body of html others to include dynamic content. In theory this prevents hackers from monkeying with the code via http but they can still get at it via ftp if they find the passwords.
<?php
$include = "/path/to/scripts/";
include "{$include}start.php";
?>
<!DOCTYPE html>
<html>
<more html>
<div class="some style">
<?php include "{$module}some/output.php"; ?>
</div>
<more html>
<div class="more style">
<?php include "{$module}more/output.php"; ?>
</div>
<more html>
</html>
BTW, the designer I used to work with liked it very much because there was not a ton of php code cluttering up his Dreamweaver html/css design.
The above can run on dedicated, virtual and shared servers with no change [as far as I know]. I use a shared server and, yes, leaks between accounts is quite easy to do.