It's always a wise move to move your sensitive files outside of the so called WEBROOT, the directory which is used by Apache to show your website. This way you can be sure, that nobody else, but your Joomla core code can use these files.
Before of the advent of Joomla 1.5 you needed to manually edit the configuration.php file for this, so the trick qualified as a core hack. Now, with Joomla 1.5 and newer around, is some simple configuration setting.
- So, for the first step, log in to your site's hosting control panel, and create the two needed folders somewhere outside of your WEBROOT folder, usually called "public_html", "http", "wwwroot" or something similar.
- Then, in the Back-End Global Configuration, change the log path. Some extensions use the built in JLog class. This will, by default write logs to http://yousite/logs. Change this to a place that a casual browser cannot find (and don't pick /tmp/), or lock it down with http authentication. Because we are dealing Open Source software, attackers can read the code of third-party extensions and may be able to guess log file names.
- If this is done, in the Back-End Global Configuration, change the temp folder path.
- If the log and temp paths are changed and PHP open_basedir configuration directive is set, make sure that the new paths fall within the scope of open_basedir.