Drupal set the private folder

How to set the Private file path in Drupal using the following steps:

• Create a private folder in the web root
• Add a .htaccess file to the private folder
• Update the settings.php file

Create a private folder in the web root

Open a terminal window and navigate to the web root directory of your Drupal site. In your web root add your private folder.  In this instance I'll create a folder named 'prvt-media'.  Use the mkdir command to create a new folder named prvt-media

mkdir prvt-media

Once created, check the permissions.  To view the permissions, use

ls -l

Response will be similar to 

drwxr-xr-x 39 www-data psacln    4096 Apr 14  2022 libraries
drwxr-xr-x  4 www-data psacln    4096 Apr 16 11:10 modules
drwxr-xr-x  2 www-data psacln    4096 Aug  7 10:45 prvt-media
-rw-r--r--  1 www-data psacln    1706 Apr 16 11:10 robots.txt
drwxr-xr-x  3 www-data psacln    4096 Apr 16 11:10 sites
drwxr-xr-x  4 www-data psacln    4096 Apr 16 11:10 themes

If the permission isn't correct, you'll need to adjust using chown command, such as

chown -R www-data:psacln prvt-media

Add a .htaccess file to the private folder

Drupal requires a htaccess file is present.  Create a htaccess file, for me I used vim

vim .htaccess

Add the following contents to the file

# Turn off all options we don't need.
Options None
Options +FollowSymLinks

Deny from all

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
  php_flag engine off
</IfModule>

Update the settings.php file

Now the pre-work has been undertaken, we can update the settings.php file.  Edit your settings.php file and scroll or find the private path text

/**
 * Private file path:
 *
 * A local file system path where private files will be stored. This directory
 * must be absolute, outside of the Drupal installation directory and not
 * accessible over the web.
 *
 * Note: Caches need to be cleared when this value is changed to make the
 * private:// stream wrapper available to the system.
 *
 * See https://www.drupal.org/documentation/modules/file for more information
 * about securing private files.
 */
# $settings['file_private_path'] = '';

Uncomment the line and change the value of '' to the path of the private folder you created in step 1. For example, if the path to your private folder is /var/www/html/mysite/private, you would change the line to:

$settings['file_private_path'] = 'prvt-media';

Save the settings.php file.

Clear the Drupal cache

I'll clear the cache using Drush and command line

drush cr

Or using the admin interface

1. Go to the Drupal admin dashboard
2. Click on the Configuration tab
3. Click on the Performance tab
4. Click on the Clear all caches button

Once you have completed these steps, the private file path for your Drupal site will be set.

Here are some additional things to keep in mind:

• The private file path must be an absolute path
• The private file path must be outside of the Drupal installation directory
• The private file path must not be accessible over the web
• If you follow these guidelines, your private files will be securely stored and accessible only to authorized users.