The custom public folder feature has been added to Joomla!™ in version 5.0. In short, it allows you to place your Joomla installation (Joomla's files, including its core files and third party extension files) outside the web root (the directory from which your site is served by the web server).

We will give three examples:

On a commercial host, your web root is directory similar to /home/myuser/public_html. You can put your Joomla installation in the directory /home/myuser/joomla, without creating a subdomain which will be served from the /home/myuser/joomla directory. Your site will be served from the web root folder, /home/myuser/public_html.

On a custom server running Debian or Ubuntu Server, your web root is typically the directory /var/www/html. You can put your Joomla installation in the directory /opt/joomla. This site will still be served from /var/www/html.

On a macOS local server, your web root is typically /Users/myuser/Sites. You can put your Joomla installation in the directory /Users/myuser/development/joomla. This site will still be served from /Users/myuser/Sites.

This feature works by creating symbolic links (typically called symlinks) in the web root directory, pointing to the absolutely necessary files to serve your site inside the installation directory.

Creating a new installation with a custom public folder

Extract Joomla into its own folder, outside the web root. For example:

cd /opt/joomla
wget "https://github.com/joomla/joomla-cms/releases/download/5.0.0-rc2/Joomla_5.0.0-rc2-Release_Candidate-Update_Package.zip"
unzip Joomla_5.0.0-rc2-Release_Candidate-Update_Package.zip
rm Joomla_5.0.0-rc2-Release_Candidate-Update_Package.zip

Then, install Joomla! using the command line. For example:

cd /opt/joomla/installation
php ./joomla.php install --site-name="Joomla 5" \
  --admin-user="John Q. Public" --admin-username=johnqpublic \
  --admin-password="MfDQmqXYBwnwuBLwyepeFU4A" --admin-email="This email address is being protected from spambots. You need JavaScript enabled to view it." \
  --db-type=mysql --db-encryption=0 --db-host=localhost --db-user=j5user \
  --db-pass="yZE2cSGZuCgh8GPSVKS3ZtHY" --db-name=j5 --db-prefix=j5_ \
  --public-folder=/var/www/html

Changing an existing installation to use a custom public folder

You need to move the site's files to the installation folder outside the web root, then use Joomla's command-line application to create the public folder. For example:

cd /opt/joomla
mv /var/www/html/* .
rm -rf /var/www/html/.well-known
rm -rf /var/www/html/.ht*
cd cli
php ./joomla site:create-public-folder --public-folder=/var/www/html

Does that make the default backup output folder safe?

Yes, and no.

Yes, this configuration makes the default backup output folder safer since it cannot be accessed directly over the web. But this is not a huge change for most clients, since we do put a .htaccess and web.config file in there already to make this folder inaccessible on the Apache, Lightspeed, and Microsoft IIS web servers.

It is still not safe because the default backup output folder is well-known. This means that an attacker who can exploit a vulnerability that allows them to list and/or download files from your site can still download backup archive files stored in it. Using a different output folder provides an additional hurdle an attacker would have to mount. As always, never rely on a single layer of security. The French did it in World War II (see Maginot line) with disastrous results. A single layer of defence is a single point of failure.