A lot of security issues are concerns in web applications are related to exposing more to the public than absolutely necessary. The ‘code in the document root’ problem is one of them

zen-cart and ZenMagick suffer from this form of exposure as both are located in the document root (or subfolders). One indicator that this is perhaps not a good idea could be the number of empty index.html and .htaccess files.

Better structured applications, for example CakePHP, allow to move the application code itself outside the docroot. This leaves just the templates and other web files (.js, .css, images) visible.

In the case of zen-cart there is not a lot that can be done easily. A lot of code depends on fixed directory structures and once you add thrd party mods things get really difficult.

ZenMagick, in contrast, does not assume a lot and in fact it’s quite easy to move outside the document root.

It took me about four steps to archive this (on a running installation):

1. Move the zenmagick folder (except for the themes) two directories up (assuming that zen-cart is installed in the docroot itself)
2. Modify zen-cart’s index.php to reflect the changed location of store.php
3. Modify includes/init_includes/overrides/init_templates.php to reflect the changed location of init.php
4. Patch ZMRuntime::getZMRootPath() and ZMRuntime::getPluginsDir() to point to the moved zenmagick folder and its contents

I might actually consider changing the installation to do this as a default in the future. For now its another reason why I like ZenMagick:)

Another candidate to follow this system would actually be the cache folder to avid exposing cached HTML pages!