serving .php files directly is not security issue, but as you said nobody knows what's going on under the hood.