This can be achieved by using different strategies for valid case, let see few of them as following:
-
Restrict server users to a specific directory in Linux with limiting access protocol. Normally developer access their server machines using ssh connection, which is normally targeted by attacker bots. So limiting your users on server to access maching to only with
sftp
method, after which user can land into thier home page and then navigate to other folder with thier password to perform other tasks. Read blog for more details -
Use non-standard path to store your webserver file which is not easy to guess by any attacker bots or other attacker. Using non-standard path such as
/MyData/WebSites/sitename01
,/MyData/WebSites/sitename02
and so on can save you from various kind of vulnerability attacks that try to run or read some files using a relative path.
Note: This is just security by obscurity. If somebody has enough access to your server to be able to read, or worse, modify arbitrary files on your server, the web root is the thing you should worry least about.