Hi @simgiallorosso,
If you put the files_dir into the web root, you’ll have to make sure that nobody is able to access it directly via the web browser (e.g. by requesting http://your.domain.name/files/... via their browser to access the files that way). You can usually do this using a .htaccess file, but the exact details will depend on your server. See e.g. this guide: How to Restrict Access to Your Site Using .htaccess deny from all
Regards,
Alec Smecher
Public Knowledge Project Team