Not sure this is a security issue with 'insecure dataroot', but, rather, a confiiguration issue with the site. There a few ways to assure that only your students register for your courses. Put a key on the courses. When/if a guest user registers an account in Moodle via EMail based authentication and then attempts to enter the course, they are prompted to provide the key (a phrase/line of text) which can only be obtained by the teacher in the course. Change the key after all your true students have signed up.
'spirit of sharing', Ken