Learn how to manage writable config.php file in Moodle. Follow best practices for securing and configuring your Moodle installation.
folder, should only be used for reading the moodle code, where writing is done at database or moodledata folder side. In this tutorial I will show you how to set permissions in Windows Server to make config.php file as un-writable.
you can access security reports by going into Site administration > Reports > Security overview and it will list all the security vulnerabilities with your moodle installation.
You will find Writable config.php file showing warning, as this is normal for default moodle installation to show warning regarding config.php file.
As mentioned above, everything inside of moodle folder should ideally be only readable by public or users, only administrators should have right to add plug-ins and make changes in the code, but because in most other web scripts or content management systems, this publicly accessible folders may needs to write or upload files inside of public HTML folder therefore default settings comes with writable moodle folder, but moodle is different for it does all the writing in database and uploading of files in moodledata folder that are of course out of public accessibility.
[post_ads]
To make config.php file secure, go into moodle folder, right click config.php file and choose properties, select Security Tab as shown below in pointer 1.
Now click Edit (shown by point 2) and you'll end up in screen shown below
From here, select Users (pointer 1) and in permissions section, select Deny for Write permissions, you will notice here that you will not be able to make any changes in Allow permission, as in usual case users are given permission by selecting Allow, but because the permission to this folder are inherited from IIS's own settings, so only option left is selecting Deny and selecting Deny takes precedence over Allow in permissions.
Click OK and you're good to go, you may encounter 500 error, but refreshing page will get rid of it for cache are filled up with previous permissions of writing to config.php file.
just for sake of surety, you can go back into security reports and you will find warning removed showing OK sign.
COMMENTS