Dar pridesiu, pas tave yra:

include ("include/title.") . $lang;
include ("include/head.") . $lang;

    Kas reiskia kad failo extension didelis klausimas ar php, faktiskai jei kisi i tokius failus php koda ir jei htaccess nebus sutvarkytas kad ju neitu atidarineti tai hakeris gales atsidarinet tokius failus, zmones daznai daro includinama php su extension .inc o realiai toki pasiviewint poto galima ir paziuret kas ten.. del to:

1. Rekomenduojama visu includinamu failu kurie turi php koda viduje extensionus daryti .php, pvz as darau include tokiam stiliui: inc.pavadinimas.php ar tai inc.$lang.pavadinimas.php.

2. Galima aisku sutvarkyt htaccess kad negales nieko prieit, duosiu dar gabala drupal .htaccess (siais laikais kai tiek opensource tvs'u yra tai tikrai yra kur pasidairyt), kazkas tokio turetu stovet kiekvieno normalaus puslapio .htaccess faile:

# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$">
  Order allow,deny
</FilesMatch> 

# Don't show directory listings for URLs which map to a directory.
Options -Indexes 

# Follow symbolic links in this directory.
Options +FollowSymLinks 

# Make Drupal handle any 404 errors. <- sitai padarys kad jei i koki bloga url eis visada numes i pagrindini
ErrorDocument 404 /index.php 

Bent tiek rekomenduociau del security.