If you must put the dataroot in public web space, just put a file called .htaccess in it containing "deny from all" ... this will protect the whole directory.
General developer forum
One idea for security.
This discussion has been locked so you can no longer reply to it.