[techvibe2]

You are right. The application does not belong to public folder. My goal is to make installation as easy as possible. Just copy the code and start to blog. Another reason is, that you can't easily run the application in subdirectory for example /blog/ if put the application code behind public folder.

Composer is a good Idea, but with first version we wanted to deliver one single package for the end users. We would use composer for the next releases.

[citricsquid]

If you absolutely cannot separate out the public portion of the application from the core -- which should be possible because even the worst shared hosts allow for folders above public_html -- then you'll need to use a PHP solution for protection the files. For example if you define a constant in index.php and then check for that constant in included files you can prevent access, eg:

    defined('BASEPATH') OR exit('No direct script access allowed');

From https://github.com/EllisLab/CodeIgniter/blob/develop/applica...

[techvibe2]

You are right again. But I will complicate the installation. The PHP files are secure, they are classes ore arrays. if you execute them nothing happens. We have an .htaccess file in core applications folder. The .htacces file rejects all requests.

We would provide security tips also for nginx users. Just to repeat all files except index.php are classes ore arrays and and they don't execute any code.