Scribble_Nerd That's why we moved the index.php to the public folder in beta 8. When you don't move the index.php out of public, those directories are not public. You'll have to manually prohibit access to those with by editing your server configuration.
If you use Nginx, you can use the beta 7 rule to deny those directories.
location ~* ^/(composer\.(json|lock)|config\.php|flarum|storage|vendor) {
deny all;
return 404;
}
If you use Apache, you might want to look at the .htaccess that is either in the public or root directory, and make sure it's pointing to the correct directories to block.
