Suppose someone knows a folder name, and tries to list a folder on your site to find out what’s inside of it. Without any protection, it might display like this in the browser:

Now, let’s assume that you don’t want people snooping around in this folder, and trying to run the various PHP programs or investigate the contents of any text files.

The solution is to create an small index.php file that returns nothing, such as this:

<?php
// Silence is golden.  
// or display some message with an echo command: 
// echo "Cannot be displayed"; 
?>

When someone puts the folder name without a filename after it, Apache will generally attempt to run the index.php of that directory.
You don’t need to change .htaccess or the CPANEL indexing options if you do this.