In order to protect the sensitive directories, you've several choices. We'll only talk about the two most common choices.
Move the sensitives directories in a place NOT accessible from Internet
Unfortunately even if this solution is the best of both choices, it's not always possible as some shared hosts provide access to a single place which is also accessible via http.
First, you need to make sure that you can do that, if you've your own webserver, then you definitively can. If you're using a shared host, then think about where you need to put your files when uploading them by FTP, do you have to enter under a specific directory like htdocs, public_html/ or whatever it's used by your ISP.
If yes, then this means that any content not under this htdocs/ (or whatever name is used by your ISP) will NOT be accessible from the Internet. Then, you need to move each sensitive directory (ie: pictures/, data/) at the root of your FTP access and change phpGraphy config according your changes by changing the path of pictures_dir and eventually data_dir if you're using the flat file database backend. Note that you can not apply this technique to logs/ and conf/, you'll need to apply the other technique (see next section).
/home/ftpuser/
|
+- htdocs/ phpGraphy core files (*.php, etc.) - Need to be accessible from Internet
| +-base/ phpGraphy core library, stylesheets, icons, etc. - Need to be accessible from Internet
| +-themes/ phpGraphy themes (You can add your own also) - Need to be accessible from Internet
| +-docs/ phpGraphy manual and documentation - Can be accessible or not, up to you
| +-conf/ phpGraphy configuration files - If possible, restrict access
| `-logs/ phpGraphy log files - If possible, restrict access
|
+- pictures/ This is where you put your own pictures/files - Should NOT be accessible from Internet
`- data/ Used along with the flat file database (not MySQL) - Should NOT be accessible from Internet
To get phpGraphy working like the above example, add the two following lines in config.ini.php:
pictures_dir = "../pictures/" data_dir = "../data/"
Using .htaccess files
phpGraphy comes by default with .htaccess in all *sensitive* directories. However it's possible that those files aren't in place anymore (for example, if you've uploaded phpGraphy with a FTP client not correctly handling files beginning with a dot) or also that your webserver doesn't handle such files.
The easiest way is to get those .htaccess given by default with phpGraphy back in place using the original archive and if not working trying with another decent FTP client. If your webserver doesn't this type of files, check for an equivalent, there should be one.
I'll not explain here how .htaccess works, if you're curious, you favorite search engine should be able to help you with that ! Just note that the role of .htaccess is to forbid access to directories and its content. There should be a similar method available with the webserver you're using.