Your host likely has you in a directory, say /home/~ademmeda which then has a subdirectory public_html (or www) where your website is located. My recommendation is to move protected files OUT of the public_html (or www) subdirectory into another subdirectory at the same level (in other words, /home/~ademmeda/public_html/core directory would be moved to /home/~ademmeda/core) where it cannot be accessed by an html request. Obviously, php includes and core information can be accessed by your php files (within the website) so things will work perfectly but with your sensitive files protected.
As immerse pointed out, you can't do that with images as they're accessed via http to display the images in your webpage. You can use PHP links to access the images outside the webspace but, once the image is served, it's available to the world (whereas the content, not the output, of php files are protected by the server's PHP daemon).