is yii2 secure?

I’ve noticed that the folder “protected” doesn’t exist anymore in yii2. I accessed the folder “vendor” with the navigator and I could see all its contents. I could even execute any php file. So is yii2 really secure?

It is if you’re not putting it into webroot (you should not).

How can I set the webroot?

It depends on which webserver you’re using. If it’s Apache you’d use “<Directory …”, if it’s nginx then “root /some/absolute/path;”. If you’re on shared hosting and you probably can write one level more than www or public_html. These are webroots. Since these are often not configurable you can just rename application’s “web” directory to “public_html” (or whatever your webroot is).

I am using Apache and I would like to use the yii2 advanced aplication. There are two "web" directories: "frontend/web" and "backend/web". What should I do to upload this application in a shared hosting?

Unless you can set two document roots (2 hosting accounts) this may not be for you.

This setup is intended to have two domains, or a domain and subdomain with separate document roots. It is for using a shared codebase with two different ‘applications’ - usually a public facing site and administrative backend.

You can achieve a similar approach with the basic app using an /admin module if on shared hosting.

I must point out though - why use shared hosting anymore when you can have full root control with an awesome VPS for like… $5/month via digitalOcean or other competitors?

Really useful answer. I think it should be pinned to the yii2 installation manual. I will go for the yii2 basic then. I didn’t know about digitalOcean, it looks good. Can you tell me the name of a shared hosting with full root control?

You’ll never find shared hosting with full root control because anyone with root can do anything on the server (including messing with files/website/database that belongs to other tenants).

VPS/ however can have root since you are given your very own virtual machine.

DigitalOcean, VPS.net, Linode, amazon AWS, Microsoft Azure and much much more. Just search on Google.

Thanks for your answer! really useful