If certain .html files can only be accessed by a password match (implemented in PHP) to a hash code in a database, the user can still guess likely .html file names and see that supposedly privileged page. Viewing the source of the privileged page, the user can then see the name of a .php that is invoked in that .html which might lead to the guessing of the likely POST arguments.
What is the best practice to reduce the temptation to do this type of guessing of names both of the .html and .php file types.
The .htaccess file already has "options -indexes" to prevent listing directories.
Edit: ummm,instead of upvoting that it's a bad implementation, why not upvote one of the suggested answers or write a new one. It's obvious that it's a bad implementation, that's why this question was posted.