Moodle: config.php, for debugging and flexible control

December 13, 2013

If you do not hard-code anything that is not necessary, you can avoid having multiple copies of files.

If you have a test copy of moodle in a different folder (ex: mdl-test), add an if statement to handle it.

if (stripos(dirname(__file__), 'mdl-test') )
{$CFG->dbname = 'mdl_backup'; }
{$CFG->dbname = 'mdl_production'; }

I broke wwwroot up into 2 steps:

$wwwroot = 'http://' . $_SERVER['HTTP_HOST'] .
ereg_replace($_SERVER['DOCUMENT_ROOT'], "", dirname(__file__) ) ;
$CFG->wwwroot = $wwwroot ; # OR
#$CFG->wwwroot = str_replace('www.', '', $wwwroot ) ;
(if you want to be sure your site is always accessed without (or with) the www prefix for search engine optimization, SEO)

$CFG->dataroot = dirname(__file__).'/moodledata/';

moodledata belongs inside. Putting moodledata outside your moodle folder is a hassle and adds nothing to security. (the .htaccess file in it takes care of that)
the moodle install page says:
Securing moodledata in a web directory
If you are using a hosted site and you have no option but to place ‘moodledata’ in a web accessible directory. You may be able to secure it by creating an .htaccess file in the ‘moodledata’ directory. This does not work on all systems [it does for almost everyone using Apache] – see your host/administrator. Create a file called .htaccess containing only the following lines:
order deny,allow
deny from all

back on moodle 2.0 they said "If you don’t protect the data directory from direct web access, anybody will be able to impersonate any user of your Moodle site (including the admin user!!!), and all of your course materials will be available to the web at large."
[However, consider the misplaced attention from the config.php file – even more prone to risk!] see

Order Deny,Allow
Deny from All
AllowOverride None

#Note: "AllowOverride None" stops anybody trying to override it in a subdirectory.

At the bottom,
even moodle does not hard code the path to the next program:

require_once(dirname(__FILE__) . '/lib/setup.php');

At the bottom of the report/security/lang/en/report_security.php program
you can add this code to replace moodle’s error message strings:

$string['check_unsecuredataroot_details'] = '';
$string['check_unsecuredataroot_error'] = '';
$string['check_unsecuredataroot_name'] = '';
$string['check_unsecuredataroot_ok'] = '';
$string['check_unsecuredataroot_warning'] = '';

and 2 stings are also in lang/en/admin.php to replace at the bottom:

$string['datarootsecurityerror'] = '';
$string['datarootsecuritywarning'] = '';

Leave a Reply

Your email address will not be published. Required fields are marked *

We try to post all comments within 1 business day