I just wanted to confirm the folder arrangement for a live site.
Am I right in thinking that my "Web" folder should be in my document root but all other folders (eg - controllers etc) and files (eg - composer.json etc) should be outside the web root?
You need to configure your server to use the your_site/web directory as web root, yes.
I have all my site contents inside my server root.
I have added a .htaccess file to the root
RewriteRule ^$ /web [L]
This redirects call to the route folder address to my actual web root, I’ve disabled listing of all the other folders.
What else should I do here to secure the location, people could still directly access files through the browser using the full path?
Do you have the option of setting the web root of your site on your host?
If you have, then set it to the web directory there.
Or, if you have full control and use virtual hosts:
Require all granted
I believe that is written in the guide, under installing Yii ?
If you, for some reason, can’t set the root to ‘web’, then it is probably better to use this template:
It has already been secured properly (AFAIK) without having to use the subdirectory ‘web’ as root, so a good starting point.