I have seen this mentioned as part of longer discussions, but I want to just put this up plainly and clearly.
If you move to Apache 2.4 and later, to be certain you have secured your directories, you need to edit your apache configuration file; as example:
Change:
<Directory “/export/srv/www/office.myhealthymind.ca/emr/sites/*/documents”>
order deny,allow
Deny from all
</Directory>
To:
<Directory “/export/srv/www/office.myhealthymind.ca/emr/sites/*/documents”>
Require all denied
</Directory>
The old directives (inside the <directory> </directory>) are deprecated and may not work as expected or at all. The new directive ( Require all denied ) is now the correct way.