File tree:

mm/
    private/
        .htaccess
    public/

Both 'private/' and 'public/' will be web server writable.

There needs to be a foolproof method of denying web access to the private folder.