Your site configuration might not be secure. Please make sure that your dataroot directory (/home/fundaci/public_html/moodle/uploaddata) is not directly accessible via web.
Any idea on what i can do to make it secure?
Have a great day!
In reply to Fred Frazelle
Re: After upgrading i get "Your site may not be secure." msg.
by Matt Molloy -
Hi Fred,
Your 'uploaddata' folder should not be directly accessible via the web, because anyone could easily browse to it and change your files. It should be kept outside the web root folder, but make sure the server has read/write access to it. Then you need to let Moodle know the path to it, by altering the dataroot entry in the config.php file.
Regards,
Matt
In reply to Matt Molloy
Re: After upgrading i get "Your site may not be secure." msg.
by Fred Frazelle -
Thanks guys! That was really fast!
Uh, i used File Manager and checked to see what files this thing contains. Evidently one of the programs, either the server or Moodle itself, use it as a backup folder.
It's permissions are 777 instead of the 755 which all of the other folders have, which is pretty strange i guess.
Should i just go in and change the permission to 755 as well? Would that do it?
Have a great evening!
Uh, i used File Manager and checked to see what files this thing contains. Evidently one of the programs, either the server or Moodle itself, use it as a backup folder.
It's permissions are 777 instead of the 755 which all of the other folders have, which is pretty strange i guess.
Should i just go in and change the permission to 755 as well? Would that do it?
Have a great evening!
In reply to Fred Frazelle
Re: After upgrading i get "Your site may not be secure." msg.
by Paul Kores -
777 is a bad idea since then everyone in the whole world can change files in that directory.
However, I had a related question: should the permissions be 775, or 755? In other words, if the "server must have rw access" is the "server" in the owner or group category?
If the "server" really needs only rw access, and not execute, (which seems unlikely) then shouldn't there be a 6 in there somewhere?
In reply to Paul Kores
Re: After upgrading i get "Your site may not be secure." msg.
by Fred Frazelle -
Dear Paul -- It seems as though you've got as many questions as i do, but like i mentioned above, all the other folders only have a 755 permission on them, so, ???
Have a great evening!
Have a great evening!
In reply to Fred Frazelle
Re: After upgrading i get "Your site may not be secure." msg.
by Gordon Bateson -
Hi Paul, Hello Fred,
the Moodle data folder needs sufficient permissions for the process running the Apache server to be able to READ and WRITE to it, because Moodle needs to create folders and files within the data folder. The exact settings you require will depend on what user Apache is running as on your server and also the users and groups that are set up on your server.
As Paul says, it may not be strictly necessary to allow EXECUTE access, but as a general rule for getting Moodle up and running, it is simplest to start with full access permissions, i.e. "777", and work back from there to the minimum required for Moodle to work.
The message that Fred got, appears when Moodle detects that the its data folder is under the WWW-root folder on your server. In Fred's case the WWW-root folder is "/home/fundaci/public_html", and as can be seen the Moodle data folder is under that folder. BTW, it is no problem for the Moodle scripts to be under the WWW-root. In fact, ithe Moodle scripts folder usually is under the WWW-root folder.
Remember, the message is only a "notification", not an "error", so it is not essential to move the data folder. However, it is important make it inaccessible from the web.
If the data folder is accessible from the web, then people can make an educated guess for the URLs within the data folder at so be able to look at your course files and student submissions for assessments. Since you probably don't want people nosing around in your data folder, you should make it inaccessible.
There are two ways to prevent unwanted access to the data folder.
If you use method 2, you will still get the "notification" message from Moodle, but now you know the information above, you can rest assured that your Moodle data is as safe as any data can be on the WWW
hope that helps
Gordon
the Moodle data folder needs sufficient permissions for the process running the Apache server to be able to READ and WRITE to it, because Moodle needs to create folders and files within the data folder. The exact settings you require will depend on what user Apache is running as on your server and also the users and groups that are set up on your server.
As Paul says, it may not be strictly necessary to allow EXECUTE access, but as a general rule for getting Moodle up and running, it is simplest to start with full access permissions, i.e. "777", and work back from there to the minimum required for Moodle to work.
The message that Fred got, appears when Moodle detects that the its data folder is under the WWW-root folder on your server. In Fred's case the WWW-root folder is "/home/fundaci/public_html", and as can be seen the Moodle data folder is under that folder. BTW, it is no problem for the Moodle scripts to be under the WWW-root. In fact, ithe Moodle scripts folder usually is under the WWW-root folder.
Remember, the message is only a "notification", not an "error", so it is not essential to move the data folder. However, it is important make it inaccessible from the web.
If the data folder is accessible from the web, then people can make an educated guess for the URLs within the data folder at so be able to look at your course files and student submissions for assessments. Since you probably don't want people nosing around in your data folder, you should make it inaccessible.
There are two ways to prevent unwanted access to the data folder.
- Move it out of the area of the file hierarchy which is accessible via the web. For example, Fred's web folder is at "/home/fundaci/public_html" and the main Moodle folder is at "/home/fundaci/public_html/moodle", so a safe place to put the data folder would be "/home/fundaci/moodledata".
- Tell the Apache server to disallow direct access to the data folder from the web. This is done by adding an Apache settings file with the following settings in it:
deny from allThe default name for the Apache settings file is ".htaccess". It has a strange name, but actually it is just a plain text file, so you can edit it with a text editor.
AllowOverride None
If you use method 2, you will still get the "notification" message from Moodle, but now you know the information above, you can rest assured that your Moodle data is as safe as any data can be on the WWW
hope that helps
Gordon
In reply to Gordon Bateson
Re: After upgrading i get "Your site may not be secure." msg.
by Fred Frazelle -
Wow, Gordon. That was impressive. Thanks a lot to everyone who has helped. It looks like we're pretty close.
If i use Met. 2, can i create this file under "/"? i can see a couple of "." files under here, like .spamkey, .lastlogin, but i don't see any folder Apache.
Have a great evening!
p.s. You know, i was looking at my CPanelX main screen and noticed a program... "Password Protect Directories"
After selecting the directory i get a screen, and one of its select boxes says:
"Checkbox" Directory requires a password to access via the web (you must check this to activate password protection).
Do you suppose that if i checked this and then filled in the Username and Password, that this would secure what we're looking for?
If i use Met. 2, can i create this file under "/"? i can see a couple of "." files under here, like .spamkey, .lastlogin, but i don't see any folder Apache.
Have a great evening!
p.s. You know, i was looking at my CPanelX main screen and noticed a program... "Password Protect Directories"
After selecting the directory i get a screen, and one of its select boxes says:
"Checkbox" Directory requires a password to access via the web (you must check this to activate password protection).
Do you suppose that if i checked this and then filled in the Username and Password, that this would secure what we're looking for?
In reply to Fred Frazelle
Re: After upgrading i get "Your site may not be secure." msg.
by Gordon Bateson -
Hi Fred,
> "Password Protect Directories" ... Do you suppose that ... this would secure what we're looking for?
Maybe, but you would be better off implementing one of the methods I described earlier.
I don't know what "Met. 2" is, but I imagine it is either your FTP program or the control panel you use to administer your web site. Probably it is showing you the view of either the ""/home/fundaci" folder, or maybe the ""/home/fundaci/public_html" folder.
Don't worry if you can't see a folder called "Apache". That is normal. The WEB-folder I talked about earlier is called "public_html" on your server. If you can't see it, then you are probably already in it , and you should use method (2), which I described earlier, to secure your Moodle data folder.
Generally, you should not touch any "." files. They are important server files - in Windows terms they are "system" files. An exception to this "don't touch" rule is the ".htaccess" file that you create in the Moodle data folder.
cheers
Gordon
In reply to Gordon Bateson
Re: After upgrading i get "Your site may not be secure." msg.
by Helen Whitehead -
I was worried about this message too. I looked in my uploaddata folder and there is already a ".htaccess". file with the contents
Is this now safe? I am still getting the notification message as mentioned in the post above so difficult to tell if it's ok!
If it's still not safe, where should the .htaccess file go if not uploaddata folder?
deny from all
AllowOverride None
AllowOverride None
Is this now safe? I am still getting the notification message as mentioned in the post above so difficult to tell if it's ok!
If it's still not safe, where should the .htaccess file go if not uploaddata folder?
In reply to Helen Whitehead
Re: After upgrading i get "Your site may not be secure." msg.
by Gordon Bateson -
> Is this now safe?
Yes. To reassure yourself, try accessing a file in the data folder directly:
If you CAN see the contents of the file, then your site is NOT secure yet, so please come back here for more help
regards
Gordon
Yes. To reassure yourself, try accessing a file in the data folder directly:
- login as Moodle admin and upload an html file to the "Files" area on the main site page
- startup your browser and type in the direct URL of the html, e.g.
http://www.mysite.com/moodle/moodledata/1/myfile.html
If you CAN see the contents of the file, then your site is NOT secure yet, so please come back here for more help
regards
Gordon
In reply to Gordon Bateson
Re: After upgrading i get "Your site may not be secure." msg.
by fedreko loca -
Hi Gordon,
Thanks for your notes, however i did put your script but i still can access an uploaded file through the web any advise.
Regards
In reply to fedreko loca
Re: After upgrading i get "Your site may not be secure." msg.
by Gordon Bateson -
Hi Fedreko
Gordon
- Are you SURE you can access the uploaded file?
For example, if you change the contents of the uploaded file, and refresh the page in your browser, do you see the changed contents? - Can you view the contents of the ".htaccess" file in your browser?
- Does your hosting service allow you to use ".htaccess"?
- Did you search the support site of your hosting company to find out about ".htaccess"?
Gordon
In reply to Gordon Bateson
Re: After upgrading i get "Your site may not be secure." msg.
by fedreko loca -
Thanks Gordon, however i still have the problem,
If i edit .htaccess under the public folder it deny access to the site, my hoster is site ground and it allow .htaccess, its very poor in terms of support maybe new fourms. the site don't like moving data to other folder currently my permissions are 750.
Any help.
Cheers,
Fed
In reply to Gordon Bateson
Re: After upgrading i get "Your site may not be secure." msg.
by Juan Marín -
I'm not sure that .httpaccess is safe...
Of course, the moodledata folder is not accesible, but the protection isn't recursive for de subfolders that the folder contain. i.e. If you have a course in the folder "1" anybody could access to ../moodledata/1 and see and download the files.
And everybody could know what folders are "avalable" moving the cursor over the course hyperlink (or the forums hiperlink).
There are a way to set httpaccess recursively to all folders and subfolders? Otherwise you have to put manually one .httpaccess file in each new folder that the system creates in moodledata (I have hundred of them)
Of course, the moodledata folder is not accesible, but the protection isn't recursive for de subfolders that the folder contain. i.e. If you have a course in the folder "1" anybody could access to ../moodledata/1 and see and download the files.
And everybody could know what folders are "avalable" moving the cursor over the course hyperlink (or the forums hiperlink).
There are a way to set httpaccess recursively to all folders and subfolders? Otherwise you have to put manually one .httpaccess file in each new folder that the system creates in moodledata (I have hundred of them)
In reply to Juan Marín
Re: After upgrading i get "Your site may not be secure." msg.
by Juan Marín -
May be an easy way to keep sniffers away is to set an original name to the data folder (if you use the default name "mooodledata", anybody could surf your files), but if you uses other name (don't forget change the variable in the config.php file), nobody could know the full path to your files. isn't it?
In reply to Paul Kores
Re: After upgrading i get "Your site may not be secure." msg.
by Iñaki Arenaza -
You need execute access aswell. Under Unix, execute permission on directories is used to be able to enter the directory (i.e., to 'cd' into it) See http://en.wikipedia.org/wiki/Unix_permission#Basic_Permissions
Saludos. Iñaki.
Saludos. Iñaki.
In reply to Fred Frazelle
Re: After upgrading i get "Your site may not be secure." msg.
by Juvenal Sahiri -
I presume that uploaddata is a folder you created to store Moodle data. That folder should be outside moodle directory. That's part of a recommendation in moodle installation instructions:
http://docs.moodle.org/en/Installing_Moodle#Creating_the_data_directory_.28moodledata.29
http://docs.moodle.org/en/Installing_Moodle#Creating_the_data_directory_.28moodledata.29