+1 great proposal. While on this theme it might be a good idea to consider the different deployment scenarios, their merits and how does that change the configuration. For example: In shared hosting: drupal/core drupal/local drupal/index.php drupal/.htaccess Custom (non-distribution) unix install: (in /usr/local) lib/drupal - equivalent to core above var/drupal - equivalent to local above var/www/drupal/sites/example.com/files - this is configurable anyway lib|var/drupal are not in the web-server's display paths, this potentially makes sharing the same web-server location with other apps easier windows based installs: I'm clueless there The changes to the current drupal are minimal, mainly in the multi-site file include code. Apropos. Recently there was a lengthy discussion on the debian-security mailing list about the general security status and practises of php applications. There was, let's say, discomfort about exposed configurations, 'talking' files, etc... While drupal is relatively good in this respect, we should be able to enable better practises and offer advice on the site configuration choices. Not everyone is experienced. Some people are willing to learn. Cheers Vlado