Security advises

Does it mean that I must place some folders or files out of the file httpdocs on my web server ?

In this case, what are these folders/files ?

• Hacker can go and navigate to http://yourserver/projeqtor/files/attach/tryandguessfilename : if hacker tries many values for "tryandguessfilename", he will possibly retrieve an attached file from your server. If this file is confidential, you may be in great trouble.
  This is a real issue as hacker do not have to be connected to try all the urls, and as ProjeQtOr is open source, the hacker can examine source code to guess which names are given (formatting rule).
• If hacker (or some user with bad behavior) connects to your ProjeQtOr instance, he will try and upload some .php file, and then call it from direct url to do whatever he wants on your server (for instance delete all files, or retrieve server password file).
  Fortunately, ProjeQtOr renames php files to avoid this leak, but not all executable files may be protected (recently, a leaked has been fixed for files named .php4 and .php5 that can be interpreted as php files)

Is it this folder that I have to put outside the folder httpdocs (I mean on my server at the same level of httpdocs)

• files/attach (where attached files are stores)
• /files/config (you must more your parameter.php file out of hacker reach, because it contains your infortation to connect to database)
  Notice that you'll then have to change /tool/parametersLocation.php file
• /files/cron (technical flder for automatic executions)
• /files/documents (where document files are stored)
• /files/logs (where log files are stored)
  A hacker would love to read you log files as they may contain very interesting information on your server

• /files/reports (where images for reports are stores, and report html pages must have access to them)
• thumbs (where thumb images are stored)
  This folder will be more used in V5 than it is in V4

The security advise mentions also another directory "documents", but I cannot see it in my files