I would just move the includes
folder out of the web-root, but if you want to block direct access to the whole includes
folder, you can put a .htaccess
file in that folder that contains just:
deny from all
That way you cannot open any file from that folder, but you can include them in php without any problems.