Difference between root index.php and pub directory index.php in Magento2?
- Magento 2 ships with two index.php files.
/path/to/magento2/index.php
/path/to/magento2/pub/index.php
One is at the absolute top level of Magento 2’s distribution folder. The second is inside the "pub" folder. There’s also separate but similar .htaccess files for each of these index.php files.
The file you want to use for your Magento system’s root folder is pub. This is a modern PHP framework convention, and is one layer in a layered approach to protecting your PHP and configuration files from being exposed to the world. However, Magento still ships with the root level index.php because many hosting companies make changing this web root difficult and/or impossible.
Hint : https://alanstorm.com/magento-2-frontend-files-serving/
- Because in that case most of Magento's code will live outside the public document root, so the possible attack surface is smaller. In other words, when you use the top level folder as document root, you have to make sure that various folders (such as app) are explicitly denied in your webserver configuration.
Hint : Why Magento 2 have 2 possible root folder?
Magento2 uses the /index.php is mainly for the CLI commands where there is no use of media and static folders. But while you access the website, you need to point to the index.php only. Because the media paths were defined only in pub/index.php.
Magento 2 generally use /index.php in root file. But when you will go live and change the mode to production Magento will use pub/index.php.