My files are set up like this:
public_html>Moodle files (including Moodledata)
I understand that can make the Moodledata folder accessible to a hacker. Is this true?
Short answer yes.
Slightly longer answer - unless you have some compelling restriction that means you cannot create directories outside of public_html, then create moodledata someplace other than public_html. This is safest.
If you have to have moodledata where you have put it then it is protected by an .htaccess file (which I think is added automatically). If the .htaccess file doesn't work then Moodle will refuse to run. So, if Moodle runs you are ok but your setup is not ideal.
where would I find that .htaccess file? I tried to locate one, and never found one. Could my site by without one?
Hi Wendi,
I think that you have mentioned that you have a VPS. If so, you should be able to move your moodledata folder back one level and get it out of public_html. This is really what you should do, and its a good thing to learn how to do. When you log is as a user to your VPS to manage it, most often you are put at a level right below public_html.
One way to tell if you have an .htaccess. is from your browser, try to go to a folder directly (a folder that has some files in it.) For example, on my website, you could try going to www.rjerz.com/c. This is a real location with many files in it, but your browser will give you an error message because I have a .htaccess file, which works. If you see your file names and folders, you probably do not have a correctly configured .htaccess file.
If you search google for .htaccess, you will find many hits for it. .htaccess can be pretty technical, but one of its main functions is to not expose your files and folders to the world.
Having said all of this, I am just sharing my experience with you. I am not the technical expert, but others, like Howard and Ken for example, are really good with this stuff.
Realize that any file that begins with a period is sometime hidden, depending upon how you are looks at your files. But if you are SSH'ing into your server with a terminal application, you will see it. When I FTP to my VPS from my Mac, I don't see files starting with a period.
Yes, your site could be without one. .htaccess, I believe, is optional.
Moodle does put a .htaccess file into my moodledata folder, and I see it. I think this always happens during an install of Moodle, but not sure. Howard might be able to verify this.
I forget, are you managing your VPS with cPanel only, FTP, SSH, or by some other method? Doing what you need to do can sometimes be done easier with SSH. Knowing what you use will help us advise you.
Yep - the .htaccess file (which is hidden on most systems) is created automatically. However, it will only be honoured if your web server has this feature enabled. That is, it won't always get you out of trouble if you put your moodledata in the wrong place.
So I think this is a very good example of how someone, who wants to run their own server and Moodle, needs to learn how to make sure that moodledata is in the correct place. If not, one needs to learn how to move it, and how to edit config.php to make sure the moodledata folder is in the correct place, with the correct "rights".
I have found that the best way to assure that this happens is to pay attention to the dialog boxes that present themselves during the initial install of moodle, since the install will ask these questions. This is also one of the problems with one-click installs, they think they know how to install moodle on their own, and then do it incorrectly.
I am not sure where Wendi is overall, if she did a one-click install, if she is the administrator, and her overall comfort with these computer related issues, but it's good to know that there are people like you who are patient and want to help.
"I understand that can make the Moodledata folder accessible to a hacker. Is this true? "
To answer this question, yes, if you make a mistake with your installation, you can make your moodledata directory accessible to a hacker.