I try to keep things below the root when I can, e.g. some assets, config files, etc. I'm wondering about the following - all thoughts shared welcome. (1) putting the config file information below the root and having an include in the config file. It does work. I'm wondering if there are any unexpected issues I might expect. Theoretically a good hacker can get the information anyway (such as getfilecontents) but, if they download the files above the root and don't realize the error, you can potentially reduce the damage of them accessing your db by giving you time to seal off the system before they realize what they don't have. (2) Moving things like resources in resource manager below the root. There are questions if you want things to be indexed, e.g. pictures in the gallery, but for the most part, files may not be the same. It may be a benefit to keep leechers and hackers guessing as to where the files ultimately are.