In the Matomo System Report you may see an error that says “Required Private Directories” and looks like this:

This means the content for these files are accessible by anyone by entering the mentioned URL into the browser. Some of these URLs may include private information such as the credentials (username and password) to your database.

To fix these issues, your web server configuration needs to be adjusted. Please note this has nothing to do with file permission itself. This error needs to be solved either by a system administrator or you may need to contact your hoster.

Apache web server and IIS 7 and above

If you are using Apache or IIS then these directories should be protected automatically. The only reason this might not work is if Matomo does not have write permission for these directories. In this case we recommend you try to execute below command in your Matomo directory using a user that has write permissions (if you can run commands on your webserver).

./console core:create-security-files

Please note that you may need to execute this command every time you update Matomo if Matomo is not allowed to create these files automatically.

Nginx web server

We recommend setting the same configuration as in our Ngnix repository or directly using this repository to configure your Matomo installation.

Other web server

Configure your web server to not allow accessing any files in these directories:

  • /.git/
  • /core/
  • /config/
  • /lang/
  • /tmp/