I've just completed a brand new install of PyroCMS on the dev server also it seems the system and addons folder reside over the document root folder within "public_html".

PyroCMS relies from CodeIgniter and each time Used to do a CodeIgniter do the installation always had me put the system folder below the document root for security reasons. Should not this be true using the PyroCMS install?

Modules require assets, which obviously means HTTP access is needed. We intend to eventually enhance the Resource assistant to GZIP/minify/mix everything and pass it with an "resource" controller, meaning images could be cached and resized, javascript could be squashed, etc.

Putting everything via a PHP file in by doing this means eventually you'll have the ability to have all the feaures outdoors from the public folder, but for the time being you'll need immediate access or else you are entirely messing with your odds of getting a style with images, css, javascript or symbols.

Just don't tell Apache for everyone PHP files as text/plain and you will be absolutely fine. -)