User blog comment:Rappy 4187/Technical Update: November 18, 2015/@comment-9380534-20151118225134/@comment-11733175-20151119163241

For those concerned about api.php, wikia.php, and the more unusual cases such a relative image URLs, anything that's in Wikia's github repo can be viewed unless it's been explicitly disallowed, e.g. trying to execute a PHP file that isn't an approved entry point. That even extends to stuff like CREDITS, package.json and .gitignore.