Your site configuration might not be secure. Please make sure that your dataroot directory (/home/fundaci/public_html/moodle/uploaddata) is not directly accessible via web.
Any idea on what i can do to make it secure?
Have a great day!
Your 'uploaddata' folder should not be directly accessible via the web, because anyone could easily browse to it and change your files. It should be kept outside the web root folder, but make sure the server has read/write access to it. Then you need to let Moodle know the path to it, by altering the dataroot entry in the config.php file.
Uh, i used File Manager and checked to see what files this thing contains. Evidently one of the programs, either the server or Moodle itself, use it as a backup folder.
It's permissions are 777 instead of the 755 which all of the other folders have, which is pretty strange i guess.
Should i just go in and change the permission to 755 as well? Would that do it?
Have a great evening!
Have a great evening!
the Moodle data folder needs sufficient permissions for the process running the Apache server to be able to READ and WRITE to it, because Moodle needs to create folders and files within the data folder. The exact settings you require will depend on what user Apache is running as on your server and also the users and groups that are set up on your server.
As Paul says, it may not be strictly necessary to allow EXECUTE access, but as a general rule for getting Moodle up and running, it is simplest to start with full access permissions, i.e. "777", and work back from there to the minimum required for Moodle to work.
The message that Fred got, appears when Moodle detects that the its data folder is under the WWW-root folder on your server. In Fred's case the WWW-root folder is "/home/fundaci/public_html", and as can be seen the Moodle data folder is under that folder. BTW, it is no problem for the Moodle scripts to be under the WWW-root. In fact, ithe Moodle scripts folder usually is under the WWW-root folder.
Remember, the message is only a "notification", not an "error", so it is not essential to move the data folder. However, it is important make it inaccessible from the web.
If the data folder is accessible from the web, then people can make an educated guess for the URLs within the data folder at so be able to look at your course files and student submissions for assessments. Since you probably don't want people nosing around in your data folder, you should make it inaccessible.
There are two ways to prevent unwanted access to the data folder.
- Move it out of the area of the file hierarchy which is accessible via the web. For example, Fred's web folder is at "/home/fundaci/public_html" and the main Moodle folder is at "/home/fundaci/public_html/moodle", so a safe place to put the data folder would be "/home/fundaci/moodledata".
- Tell the Apache server to disallow direct access to the data folder from the web. This is done by adding an Apache settings file with the following settings in it:
The default name for the Apache settings file is ".htaccess". It has a strange name, but actually it is just a plain text file, so you can edit it with a text editor.
If you use method 2, you will still get the "notification" message from Moodle, but now you know the information above, you can rest assured that your Moodle data is as safe as any data can be on the WWW
hope that helps
If i use Met. 2, can i create this file under "/"? i can see a couple of "." files under here, like .spamkey, .lastlogin, but i don't see any folder Apache.
Have a great evening!
p.s. You know, i was looking at my CPanelX main screen and noticed a program... "Password Protect Directories"
After selecting the directory i get a screen, and one of its select boxes says:
"Checkbox" Directory requires a password to access via the web (you must check this to activate password protection).
Do you suppose that if i checked this and then filled in the Username and Password, that this would secure what we're looking for?
> "Password Protect Directories" ... Do you suppose that ... this would secure what we're looking for?
Maybe, but you would be better off implementing one of the methods I described earlier.
I don't know what "Met. 2" is, but I imagine it is either your FTP program or the control panel you use to administer your web site. Probably it is showing you the view of either the ""/home/fundaci" folder, or maybe the ""/home/fundaci/public_html" folder.
Don't worry if you can't see a folder called "Apache". That is normal. The WEB-folder I talked about earlier is called "public_html" on your server. If you can't see it, then you are probably already in it , and you should use method (2), which I described earlier, to secure your Moodle data folder.
Generally, you should not touch any "." files. They are important server files - in Windows terms they are "system" files. An exception to this "don't touch" rule is the ".htaccess" file that you create in the Moodle data folder.
Is this now safe? I am still getting the notification message as mentioned in the post above so difficult to tell if it's ok!
If it's still not safe, where should the .htaccess file go if not uploaddata folder?
Yes. To reassure yourself, try accessing a file in the data folder directly:
- login as Moodle admin and upload an html file to the "Files" area on the main site page
- startup your browser and type in the direct URL of the html, e.g.
If you CAN see the contents of the file, then your site is NOT secure yet, so please come back here for more help
Thanks for your notes, however i did put your script but i still can access an uploaded file through the web any advise.
- Are you SURE you can access the uploaded file?
For example, if you change the contents of the uploaded file, and refresh the page in your browser, do you see the changed contents?
- Can you view the contents of the ".htaccess" file in your browser?
- Does your hosting service allow you to use ".htaccess"?
- Did you search the support site of your hosting company to find out about ".htaccess"?
Thanks Gordon, however i still have the problem,
If i edit .htaccess under the public folder it deny access to the site, my hoster is site ground and it allow .htaccess, its very poor in terms of support maybe new fourms. the site don't like moving data to other folder currently my permissions are 750.
Of course, the moodledata folder is not accesible, but the protection isn't recursive for de subfolders that the folder contain. i.e. If you have a course in the folder "1" anybody could access to ../moodledata/1 and see and download the files.
And everybody could know what folders are "avalable" moving the cursor over the course hyperlink (or the forums hiperlink).
There are a way to set httpaccess recursively to all folders and subfolders? Otherwise you have to put manually one .httpaccess file in each new folder that the system creates in moodledata (I have hundred of them)