I'm facing the same issue. Sorry by the question but I am very new with Moodle and Web programming (I'm just a teacher trying Moodle). My installation was made automaticallly by the hosting Company. I have access to all the a files in my site. How can I specifically do what you are suggesting?
I want to thank you for your video. Worked like a charm!
The file structure on your server should look like this:
home is the root directory of your hosting account. It has two parts: what's accessible by anyone with an Internet connection, and what's not.
moodledata houses all of your courses and their content, and can't be accessed directly with an Internet browser because it's outside of public_html. Anything in the moodledata folder can only be accessed or "called" through the Moodle interface (i.e. your website).
public_html houses everything that is web-accessible, and anyone with an Internet connection can get at those files. It's public!
moodle is your Moodle! And it's publically accessible on the web. Of course, gaining access beyond the frontpage requires an account with your Moodle (unless you allow guest access).
If you look carefully, you'll notice that moodledata isn't in the public_html folder, so it's not on the web. It's on your server, sure, but it can't be accessed from the web. You have to "go through" moodle to get at those files, and "going through" moodle requires a username and password.
Thanks so much! Your simple explanation was a great help. So, in other words, this notification:
You were absolutely right. I have moved Moodledata to a secure place and I trust that Moodle will know where to find the folder. Thanks so much for following up!
If I move the moodledata folder to a new folder (as explained in the above comment), and then change the location of moodledata in config.php, this should protect my data and remove the message that says Your site configuration might not be secure. Please make sure that your dataroot directory (/opt/lampp/htdocs/moodledata) is not directly accessible via web.
Of course, I would make it a copy and then rename the old moodledata folder.
Is there anything else that will need to be changed after moving the moodledata folder?
I have successfully moved my moodledata folder.
The original location was /opt/lampp/htdocs/moodledata
htdocs is the directory where my public web files go. This is how the directory structure looks like on a linux server. My moodle directory was also in htdocs.
I have created a new folder on the root directory of my server called secrets.
The moodledata folder is now located at /secrets/moodledata
All the warnings have now disappeared, and moodle seems to be running normaly.
I had already discovered that the moodledata folder does contain a .htacces file.
Here is the code in that .htaccess file.
deny from all
Note: This file is broken intentionally, we do not want anybody to undo it in subdirectory!
It sounds like it might already be protected, but does anyone know why the file says it's intentionally broken. It might be because there is no link to a .htpasswd file, but that would be a wild guess.
If I locate to a file in the moodledata directory, such as a jpg image, in my web browser, I get an error 500. Would you say that the moodledata folder is protected by apache because of this error? No other web directory on my server displays this error.
I have just setup Moodle, also installed by my host and get the same message. The .htaccess file is there and when I try to directly access domain/moodle/moodledata it gives an Apache server error saying the request cannot be completed.
This means that the .htaccess file is doing it's job but the Moodle install doesn't appear to run a test and just gives the warning as it finds the moodledata folder in the public area.
Here is a step by step instruciton about how you can move the folder away from public_html to root directory to avoid "Your site configuration might not be secure. Please make sure that your dataroot directory is not directly accessible via web." message
I moved my uploaddata directory to my root directory and edited the config file as instructed. However, I know receive a message:
Invalid permissions detected in $CFG->dataroot directory, administrator has to fix permissions.
I have chmod the entire uploaddata/ and its contents, but still receive the error. Any ideas?
What follows is my response to the problem of a Moodle 2.2 installer that cannot proceed when it finds the moodledata directory is insecure. I think this is also relevant here. (Note: Changes to the config.php file are only useful once the installation is complete) ...
Quick way out of the moodledata security impasse!
This has taken up the past EIGHT hours of my day and below is how I quickly solved the problem, with the help of my hosts 1and1. Hopefully this will save others the sheer torment of an installation that will not proceed!! I am on a linux shared server and do not have access to levels above my webroot (i.e. I can get into, but cannot see above, my htdocs/public_html folder). I am not alone because I've been reading all the posts!
Skippable-rant: The web is full of people frustrated with Moodle and with their hosts because of this particular installation impasse. It is utterly ridiculous that Moodle is configured to install in a way that will be defeated by most of the cheaper web hosts where access beyond the webroot is disallowed. Especially when the solution below is so simple. Why on Earth is it not mentioned in the installation instructions!
First, I had tried all the other offered solutions which have worked for some people but not for me: changing moodledata permissions to 750, 755, 700 etc; creating a .htaccess file etc. No good.
My hosts 1and1 responded quickly (less than one hour) with the following suggestion which I am certain would also work on other hosts:
Regarding your Moodle installation, please change the destination of your [mydomain.co.uk] domain to "/moodle" to resolve the problem in the moodledata folder section. After changing the destination of the domain, please give it about 3-5 minutes for the server to refresh and after that, proceed with the installation. To change the destination of the domain, please follow the steps provided in the link below.
As I say, this worked, and would work similarly for other hosts I am sure. I chose to point my domain at moodle, as they suggested. Obviously, this will not be the solution everybody wants. But there is the option to create another folder for the domain to point at, and put moodledata alongside it and moodle itself (and any other sites using the same domain) inside it. This creates a level of invisibility above the moodle folder that satisfies the installer!
This would work (with your domain configured to point here *) if you want to run your moodle as http://yourdomain.com/moodle:
- /htdocs (no access above this point)
In my case, my moodle is now to be found at http://mydomain.co.uk/ which works fine for me:
- /htdocs (no access above this point)
Kind of obvious when we think about it! So somebody with the right permissions please add it to the installation instructions!
Please do avoid posting the same thing in different forums: