Removing everything out of the web root which doesn't need to be served by a httpd server?


my name is Juergen, I am an experienced web developer and got interested in Yii after getting up to date on new frameworks. I have experience and made projects with Code Ignitor, PRADO, Zend Framework, Wordpress, etc. Plus I maintain my very own simple PHP framework for some of my own sites.

Just recently I finished a very huge project with the Zend Framework and - since I managed a team of 10 developers - it really helped to be disciplined and work on a well structured "frame". However, the speed of ZF is lousy. After this was done, I developed one of my own sites for a change in pure PHP and get fantastic speed out of it, but its not very extensible and has already too many hacks, which only I understand. My next project is coming up and there might be more programmer added later, so I might want to use YII for it.

Anyway, I have a very simple question: Why does the default installation put stuff into the web root, which doesn’t really get served by the httpd server? It seems to be common these days, the totally insecure Wordpress installation dumps basically everything inside the web root (htdocs usually), then “protects” it with a .htaccess file.

My usual strategy is to place files similar like this:

/WEB/htdocs/index.php                             <- The front controller

           /css/                                  <- Static CSS files

           /js/                                   <- Static JavaScript files

           /images/                               <- Static image files

           /whatever-needs-to-be-served-by-httpd/ <- Static whatever files

/WEB/framework/                                   <- The framework or libraries totally separated

/WEB/application/                                 <- All application files

I understand that its more easy for users who have a shared web hosting to just dump everything into the web root, but (I run my own servers) I understand that even if you work with shared hosts, you have something similar to my "WEB" directory and a sub "htdocs" directory, so you still can created sub-dirs under WEB, which are not part of the "htdocs" web root.

The reason for this layout is simple: security. What is NOT placed in the web root can usually not be served (except you make the decision to serve it). Wordpress and other packages do something (ahem) questionable, they often define something like "APP_ROOT" in the front controller and add to every file residing in the web root a line like this:

if (!defined(APP_ROOT)) die("no direct access allowed");

which works, but is hard to maintain and so very unnecessary.

The point of all this above is that I would love to see YII using a similar approach from the beginning, or at least a simple way to have configuration defaults which allow for putting everything which doesn’t necessarily get served by a httpd server out of the web root (the “protected” folder for example).

Thoughts? Comments? Looking forward to it!

Thanks, and keep up the great work so far, YII looks very promising.


It’s actually very easy to move your protected directory to some other place. Simply configure the basePath property of your application in main.php:

'basePath' => dirname(__FILE__).'/..',

and in your index.php change the path to the framework and to your main.php:



if you run your own server it may be also best practice to place framework files

on different location other than web directory.

for example on linux/unix:

you can place yii/framework under /var/local or /usr/local (or any other suitable dir. for you)

then in php.ini add it like this:

include_path = "/var/local/zend/library:/usr/share/pear:/var/local/yii/framework"


you can reach it from anywhere with this:

$yii = 'yii.php';

Right, that’s what i usually do, too. You can also organize it in one subfolder per release. That way i can easily switch back and forth between different framework releases:



// require_once('yii-1.0.8/yii.php');

 // require_once('yii-svn/yii.php');



Thanks Mike and Ps47r,

good to know that good practices are part of YII by design! :)

Ps47r, yes I do this with standard libraries like Smarty (used in older projects) and Zend Framework, but since I am new to YII, I prefer to keep it close to my code for the time being. When I am sure that YII works as good as expected, it probably becomes a standard "library" on my machines. Just need to dig a bit deeper first.