we have a (very) basic .htaccess security feature that should block direct access to any files within the modules directory. A determined individual could forge requests to these files but it should block any access by trial and error.
Placing files outside the root directory is something we still have in our backlog and we do have some ideas on how to that it’s too soon to announce anything.
OK… thanks … so is this feature active now, because it did not seem to work when I clicked on the equivalent of the link you saw above? Or will you advise me and others presumably, how to do this (actually I think I know but I won’t discuss it here)?
I know of course that, in a sense, nothing is secure on the net but at least you don’t give away the original product without a fight. Moodle does a good job with encryption plus storage outside the root directory. Or should we look at storage on Amazon or??? – it just complicates life too much.
There should be an option in the settings menu to enable this setting. It should also display if the .htaccess files are there. Of course the server configuration also has to allow this to work. If you try to access the files from say an incognito tab in your browser to simulate direct access (e.g. https://host/wp-content/uploads/cluevo/modules/scorm-2004/my-module//index_lms.html) you should receive a 403 forbidden response from the server.
Alternatively, we’ve had clients that implemented checks inside the module itself. On starting the module it basically phoned home to a separate server to check if the access if authorized. I don’t have the technical details on how they implemented that though, I’ve just seen it done in a module.
The thing with moodle is that it is it’s own system so they have a lot more flexibility on what they can do, while we have to be able to run on a wide variety of systems inside the WordPress system. Often users don’t even have the kind of permissions or access to do something like storing files outside the web root, so this is kind of a tricky thing for us to do.
Thank you for your response. I found the setting and it did stop unauthorized access (although with the expected limitations).
As for the “phone-in” solution – it becomes too much. And yes I understand about moodle… thanks for the help.