On MOST shared hosts .... directory above the webspace ...

it could also be possible to move the application anywhere above the documentroot or below it, or beside. Like:

Application (Everything except (admin)index.php, updater, media-folder, images-folder)

webroot/../local/, webroot/
webroot/private/ (protected by .htaccess), webroot/
webroot/private/, webroot/public/ (redirected by .htaccess)

Does this make sense? It seems webhosts allow to move the documentroot around, especially if it's not on a shared host.

Most Joomla sites are on some form of shared host

If it can't be applied to all hosts then why bother

because we support different environments and the more "professional" you go the more options you have to secure your setup

Thank you for calling me an amateur who doesnt secure their webspace

and installation/index.php

Yes, probably...

That depends how we can manage to do it, because also the updater is effected and extension installations an so on. Maybe you extract the complete joomla as normal to your public webspace and select the target directories for public and private parts in the installation process.

Couple question:
This should to be defined before installation or after?
Is it good idea to make configurable while installation?

Not sure what is best way

This should to be defined before installation or after?

Ideally both - consider re-installing a backup on a new host with different capabilities.

Is it good idea to make configurable while installation?

Yes, I think so. We'll find out how this best is done, once we start working on this. There are a lot of subtleties to consider that I may not have thought of at the moment.

in the end it should be one or two configuration options.

The list is incomplete. Since 4.0 and the introduction of the filesystem-local plugin a user could create a root directory which essentially is a public directory similar to images. This needs to be acknowledged and any changes should also affect any such user created folders

It would really help, if you could complete the list... TIA!

its a user-created area - so @dgrammatiko might create one called brussels and I might create one called leeds

maybe something like

* If the public directory gets changed, corresponding files and directories are moved:
  * administrator/index.php
  * api/index.php
  * media/
  * index.php
  * .htaccess
  * robots.txt
  * All the folders used in the Filesystem-Local plugin (default: images)

actually the images folder which is selected must be part of the "public" folder, so things like
adding images to this list makes no sense because we need a physical public folder which would hold the images (or better media files) add in the the plugin.

That means, a comment should be added that explains that the filesystem-local folder have to be locked to the public folder. (I'm not sure if it's lock to the joomla root folder atm, if so then it have to be locked to the public folder)

I'm not sure if it's lock to the joomla root folder atm, if so then it have to be locked to the public folder

It is locked to JPATH_ROOT

Also I'm not sure I get the plan for the Joomla update. Currently the JPATH_ROOT . '/administrator/components/com_joomlaupdate/extract.php' is a standalone entry point that requires direct access. If somehow the JPATH_PUBLIC . 'index.php' will have to require that file the functionality needs to happen WITHOUT booting any of the libraries/Application/... or any other system files. In sort I think the extract needs to also live in the public folder (maybe as update.php that will require_once the extract.php, or some similar functionality)