Securing writable config.php file in Moodle

Learn how to manage writable config.php file in Moodle. Follow best practices for securing and configuring your Moodle installation.

A stylized illustration of a person’s hands using a pen tablet to edit a Moodle configuration file on a computer screen. The screen displays an article titled “Securing Writeable config.php file in Moodle” from the website, with text discussing permissions and security measures for the config.php file in the Moodle learning platform. The image suggests a scene of someone working on securing a Moodle configuration file, highlighting the importance of proper security measures in maintaining the integrity of educational websites. This could be relevant for individuals interested in web development, cybersecurity, or e-learning platforms.

As per Moodle's security report, the config.php should be un-writable, and this holds true for moodle
folder, should only be used for reading the moodle code, where writing is done at database or moodledata folder side. In this tutorial I will show you how to set permissions in Windows Server to make config.php file as un-writable.

you can access security reports by going into Site administration > Reports > Security overview and it will list all the security vulnerabilities with your moodle installation.
You will find Writable config.php file showing warning, as this is normal for default moodle installation to show warning regarding config.php file.

As mentioned above, everything inside of moodle folder should ideally be only readable by public or users, only administrators should have right to add plug-ins and make changes in the code, but because in most other web scripts or content management systems, this publicly accessible folders may needs to write or upload files inside of public HTML folder therefore default settings comes with writable moodle folder, but moodle is different for it does all the writing in database and uploading of files in moodledata folder that are of course out of public accessibility.


To make config.php file secure, go into moodle folder, right click config.php file and choose properties, select Security Tab as shown below in pointer 1.

Now click Edit (shown by point 2) and you'll end up in screen shown below

From here, select Users (pointer 1) and in permissions section, select Deny for Write permissions, you will notice here that you will not be able to make any changes in Allow permission, as in usual case users are given permission by selecting Allow, but because the permission to this folder are inherited from IIS's own settings, so only option left is selecting Deny and selecting Deny takes precedence over Allow in permissions. 

Click OK and you're good to go, you may encounter 500 error, but refreshing page will get rid of it for cache are filled up with previous permissions of writing to config.php file.

just for sake of surety, you can go back into security reports and you will find warning removed showing OK sign.



Benefits,1,Course,1,Database,1,Future,1,Gamification,1,Guide,4,Hosting,2,LMS,10,Moodle,18,security,1,Shared Hosting,2,
AcademicTools: Securing writable config.php file in Moodle
Securing writable config.php file in Moodle
Learn how to manage writable config.php file in Moodle. Follow best practices for securing and configuring your Moodle installation.
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content