5 votesunder review · 2 comments · Service Improvement » Applications · Flag idea as inappropriate… · Admin →Eddie commented
As per the official document of moodle it is not absolutely necessary to have the datadirectory outside the webroot. Please review official note below
Security warning: For security purposes, it is CRITICAL that this directory is NOT accessible directly via the web. The easiest way to do this is to simply locate it OUTSIDE the web site root directory (it is the folder that the main part of your URL -that is, the part up to the first single / - points to; for example, in http://your.domain.com/moodle/admin/cron.php, it is http://your.domain.com/).
But if you must have it in the web directory (and you are using Apache AND the web server configuration allows .htaccess files to restrict access to directories) then protect it by creating a file in the data directory called .htaccess, containing these lines
deny from all