• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.5 Thoughts on keeping things below the root


Well-known member
I try to keep things below the root when I can, e.g. some assets, config files, etc. I'm wondering about the following - all thoughts shared welcome.

(1) putting the config file information below the root and having an include in the config file. It does work. I'm wondering if there are any unexpected issues I might expect. Theoretically a good hacker can get the information anyway (such as getfilecontents) but, if they download the files above the root and don't realize the error, you can potentially reduce the damage of them accessing your db by giving you time to seal off the system before they realize what they don't have.

(2) Moving things like resources in resource manager below the root. There are questions if you want things to be indexed, e.g. pictures in the gallery, but for the most part, files may not be the same. It may be a benefit to keep leechers and hackers guessing as to where the files ultimately are.


XenForo developer
Staff member
1. That will work. You're mostly just protecting if PHP stops executing or something more bizarre happens (as we do also block web access to the library directory). No harm in it. If someone can run code on your server, the location of the file won't matter; it'll still be accessible.

2. In your config.php, you can change the internal data path to move it above the web root. (The external data directory needs to stay within the web root.)