If the web server can write to the public web directory - regardless of whether you have one file there or a thousand, then there is a security hole. Moving most of the files out does not change this fact. It only means you have fewer file/directory permissions to keep track of.
The reality right now is that Elgg has 2 user classes:
The best solution is one that provides the flexibility to support both classes of users.
@cash
Yeah, leaving only those public-accessible files in the public folder is just one of hundreds of web security measurements. It can prevent potential direct access of elgg files which are not intented to be directly accessed, and easier to maintain the permissions as you mentioned (any upgrade of Elgg may bring new files that requires a check to file permissions carefully).
To fit the two user classes, I think a default value for PATH_ELGG will do the trick. e.g.: add this to index.php:
define('PATH_ELGG', dirname(__FILE__));
for user class 1, this is totally transparent to them.
for user class 2, they can change dirname() to whatever they want.
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.