Toro DTor ask a great question on the YouTube channel recently:
"Recently I helped someone with an FTP setup for his Joomla-4 and noticed he had a lot folders and files which are not in the original install. I told him not to do that - because of security-risks (you are guilty too !!!). If it was up to me, I would have deleted those immediately, but that wasn't for me to decide. Among that extra stuff I saw a folder called ".wellknown", just like we can see @2:13 => What is that for?"
The advice you gave your friend is really good advice. One wants to run as few other programs as possible in the subfolder of a Joomla site. However there are exceptions. For instance there are some programs that Joomla bridges to, requiring that secondary program to be inside of the root Joomla folder. Moodle LMS is and example of this when Joomdle is used as a bridge between it and Joomla.
Even if you try to not run other programs in your Joomla root folder, there may be other folders in there as part of you your webhosting account. The ".well-known" folder that you have asked about is one such folder.
The ".well-known" folder is a standardized directory in the root of a website or web application that contains static files used for web-related functionalities and is used to store files that provide information about the website's ownership, security policies, and other essential data that web applications may require. For example, it might contain files that specify the location of a website's SSL certificate (such is the case on my server), indicate its ownership for verification purposes, or provide configuration data for various third-party services that the site uses.
You may have noticed another non-Joomla folder in the root Joomla folder in that video: the .htpasswords folder.
The ".htpasswds" folder is a directory that is commonly used in web servers that run on Apache. This folder is used to store user authentication data for websites that require password protection. When you password-protect a directory or a specific page on your website, Apache will prompt visitors to enter a username and password to gain access. The username and password that visitors enter are then authenticated against the data stored in the ".htpasswd" file, which is located in the ".htpasswds" directory.
Thanks for asking!