I tried putting
if ( ! defined('BASEPATH')) exit('No direct script access allowed');
on the top of my controller, but still it is directly accessible.
All requests should go through index.php, where the BASEPATH gets defined. It prevents them from http://example.com/application/models/model.php via the URL and directly accessing the model, library, etc. It is a security measure.
if you see in index.php file there is line which defines the basepath
// Path to the system folder
define('BASEPATH', str_replace('\\', '/', $system_path));
For Example
if you trying access like example.com/application/controllers/Home.php then you get error No direct script access allowed