In reality you arent using 2 salts, you are using one unique salt per user, each users salt starts with the same few bytes though.

yes, I put the first salt in database and the second salt under www-root. Hacker who hack the database only will not know the fist salt.

I think you have to assume worst case: if they have access to your database, they have access to your web root. It might not be the case, but you should assume that.

Because it's stored in a database. If an attacker has access to the database with the hashed passwords she will likely have access to the database with the salt too.

but only the second salt is stored in a database, the first salt is stored under WWW-Root.

It's still there on the server, if the attacker has her hands on the database you have to assume that the entire server might be compromised

What is the best way to secure passwords?

You need to assume that the attacker will have access to anything on the server. So first thing is clearly no plain text passwords but hash only. Second thing is make as hard as possible for the attacker to decode the hash. One salt helps preventing use of rainbow tables but more salt is useless since the attacker has them. So you are left with choosing a hard algorithm to crack and currently the best one is bcrypt which is already implemented in most programming language for you.

Because sha1 is still super fast on a GPU. Why aren't you using bcrypt?

I thought that hashing password with two types of salt (one of them is unique for every user) and two places to storage salts is secure enough.

You thought wrong.