As I've been using version control more and more (and I've been using hg over git, using my free Bitbucket Account), I've just been putting my repo at the document root of my project. But even from the first time, I have been worried about security issues with that.
Not being a h4x0r myself, I don't really know if or how this makes me more vulnerable, but certainly, if I had permissions set incorrectly, they could probably access things in my .hg/ directory that had something I didn't want people to see.
Regardless, I think we can all agree that if my repo's root was one level above the document root, it would make it that much harder to access.
I started thinking about what else I could change to make things better or more secure, and this is what I came up with:
What I Did
I knew in CodeIgniter, in the main index.php file, you could set a different path for your systems/ and application/ directories, so I decided to move those above one level, too, and prepend ../ to the paths in index.php.
There very little complications from doing this. After moving the directories and editing the index.php, everything worked except one place that I was saving a file to 'application/temp/file.zip', which I had to change to APPPATH . 'temp/file.zip', which is probably what I should have done in the first place.
As you know, PHP is compiled at runtime, so in 99% of projects I work on, I don't have any real need for a build script, so I normally just sync what I have with the live server. In the past, that means my source .scss and .js files are exposed on the server.
With the new structure, I moved my sass/ dir up one, and put my source JavaScript files up one directory, too, in srcjs/. All I had to do to make that work was prepend public/ to my a couple variables in my config.rb and make sure CodeKit knew where I wanted my compiled (combined and minified) scripts to go.
If you're keeping track, that means that the only things in my public directory (which really could be named public_html or www, etc, to match your server's setup) are public resources. My compiled (minified) stylesheets, javascript and images (as well as .htaccess, favicon.ico) and CodeIgniter's main index.php.
That's pretty awesome. No one has any access to any source files of any kind from the outside. It's clean, more secure, and definitely my new file structure for any new projects.