If the secret files and PHP application is on the SAME server:
Put them outside of the "web home".
Eg, normally you have a directory like:
/public_html/cgi-bin/file.php
that maps to: http://www.example.org/cgi-bin/file.php
What you then, do, is to put these files above the public_html
folder, like:
/somesecretdb.db
The file /public_html/cgi-bin/file.php
can then access somesecretdb.db
by just opening ../../somesecretdb.db
But the file won't be accessible from the "outside".
If the secret files and PHP application are on DIFFERENT servers:
Then you can use IP authentication, where you create an access or firewall rule, that only allows access to the file from the server hosting your app.
If the file server is intended to be only used by the PHP application server, you can configure the firewall at the file server, to only pass requests from the PHP application server to port 80.
If the file server is both intended for public usage (eg some files must be directly accessible for users) and private usage, you can instead configure the webserver, using .htaccess or configuration file, to tell it to disallow requests for private files unless the source IP is same as the PHP application server.