Hi @Mk2000,
I can’t comment on the host’s configuration in detail – you might test it out with a test script outside of OJS, following instructions similar to what’s described here.
But if it’s really true that the only place your host will allow files to be written is inside public_html, you can move your files directory back there and protect it from direct access using a .htaccess file. This is a web server mechanism and support for these varies from server to server, so I can’t give precise instructions – but your host might have a knowledge base describing how this is done. See for example:
https://kb.hosting.com/docs/using-htaccess-files
The key is to prevent users from constructing a URL and accessing files in that directory directly in order to download .docx files, or worse, invoke .php scripts.
Regards,
Alec Smecher
Public Knowledge Project Team