To hide some files I need to place these before web root directory . But, I can't find web root directory. Symbolic link is example.com -> /var/www/clients/client0/web2/. But, /var/www/clients/client0/web2/web/ is showed when I accessed example.com. Is it correct that I place security files in /var/www/clients/client0/web2/?
basically you need to NOT place your security files in a www accessible directory. so if your '/var/www/clients/client0/web2/' is not accessible via URL then yes it is safe to place your files there, otherwise you need to put them outside of your webserver's web root directory.
