Securing writable config.php file in Moodle


As per Moodle's security report, the config.php should be un-writable, and this holds true for moodle
folder, should only be used for reading the moodle code, where writing is done at database or moodledata folder side. In this tutorial I will show you how to set permissions in Windows Server to make config.php file as un-writable.

you can access security reports by going into Site administration > Reports > Security overview and it will list all the security vulnerabilities with your moodle installation.
You will find Writable config.php file showing warning, as this is normal for default moodle installation to show warning regarding config.php file.


As mentioned above, everything inside of moodle folder should ideally be only readable by public or users, only administrators should have right to add plug-ins and make changes in the code, but because in most other web scripts or content management systems, this publicly accessible folders may needs to write or upload files inside of public HTML folder therefore default settings comes with writable moodle folder, but moodle is different for it does all the writing in database and uploading of files in moodledata folder that are of course out of public accessibility.
[post_ads]
To make config.php file secure, go into moodle folder, right click config.php file and choose properties, select Security Tab as shown below in pointer 1.


Now click Edit (shown by point 2) and you'll end up in screen shown below


From here, select Users (pointer 1) and in permissions section, select Deny for Write permissions, you will notice here that you will not be able to make any changes in Allow permission, as in usual case users are given permission by selecting Allow, but because the permission to this folder are inherited from IIS's own settings, so only option left is selecting Deny and selecting Deny takes precedence over Allow in permissions. 

Click OK and you're good to go, you may encounter 500 error, but refreshing page will get rid of it for cache are filled up with previous permissions of writing to config.php file.

just for sake of surety, you can go back into security reports and you will find warning removed showing OK sign.








COMMENTS

Name

Database,1,Hosting,2,Moodle,6,security,1,Shared Hosting,2,
ltr
item
AcademicTools(Blog): Securing writable config.php file in Moodle
Securing writable config.php file in Moodle
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLmqeZEPwE5wvBDRIgN5uSvAZ2pRp4EYE3rqpMrLVpXcJT0fbkxgSDCEVYBlgIIiQA7U97tuAH8IFjC8ZFCGm_ykGJdE-FjvfE9dOZHccHtQMsrQ42A2QQvxi3xWwMXLhrgyHjGDhTPE40/s320/moodleconfig.jpg
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLmqeZEPwE5wvBDRIgN5uSvAZ2pRp4EYE3rqpMrLVpXcJT0fbkxgSDCEVYBlgIIiQA7U97tuAH8IFjC8ZFCGm_ykGJdE-FjvfE9dOZHccHtQMsrQ42A2QQvxi3xWwMXLhrgyHjGDhTPE40/s72-c/moodleconfig.jpg
AcademicTools(Blog)
https://blog.academictools.org/2016/08/writable-configphp-file-in-moodle.html
https://blog.academictools.org/
https://blog.academictools.org/
https://blog.academictools.org/2016/08/writable-configphp-file-in-moodle.html
true
3358835764133152411
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content