How to set the Private file path in Drupal using the following steps:
- Create a private folder in the web root
- Add a .htaccess file to the private folder
- Update the settings.php file
Create a private folder in the web root
Open a terminal window and navigate to the web root directory of your Drupal site. In your web root add your private folder. In this instance I'll create a folder named 'prvt-media'. Use the mkdir command to create a new folder named prvt-media
mkdir prvt-media
Once created, check the permissions. To view the permissions, use
ls -l
Response will be similar to
drwxr-xr-x 39 www-data psacln 4096 Apr 14 2022 libraries
drwxr-xr-x 4 www-data psacln 4096 Apr 16 11:10 modules
drwxr-xr-x 2 www-data psacln 4096 Aug 7 10:45 prvt-media
-rw-r--r-- 1 www-data psacln 1706 Apr 16 11:10 robots.txt
drwxr-xr-x 3 www-data psacln 4096 Apr 16 11:10 sites
drwxr-xr-x 4 www-data psacln 4096 Apr 16 11:10 themes
If the permission isn't correct, you'll need to adjust using chown command, such as
chown -R www-data:psacln prvt-media
Add a .htaccess file to the private folder
Drupal requires a htaccess file is present. Create a htaccess file, for me I used vim
vim .htaccess
Add the following contents to the file
# Turn off all options we don't need.
Options None
Options +FollowSymLinks
Deny from all
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
Update the settings.php file
Now the pre-work has been undertaken, we can update the settings.php file. Edit your settings.php file and scroll or find the private path text
/**
* Private file path:
*
* A local file system path where private files will be stored. This directory
* must be absolute, outside of the Drupal installation directory and not
* accessible over the web.
*
* Note: Caches need to be cleared when this value is changed to make the
* private:// stream wrapper available to the system.
*
* See https://www.drupal.org/documentation/modules/file for more information
* about securing private files.
*/
# $settings['file_private_path'] = '';
Uncomment the line and change the value of '' to the path of the private folder you created in step 1. For example, if the path to your private folder is /var/www/html/mysite/private, you would change the line to:
$settings['file_private_path'] = 'prvt-media';
Save the settings.php file.
Clear the Drupal cache
I'll clear the cache using Drush and command line
drush cr
Or using the admin interface
- Go to the Drupal admin dashboard
- Click on the Configuration tab
- Click on the Performance tab
- Click on the Clear all caches button
Once you have completed these steps, the private file path for your Drupal site will be set.
Here are some additional things to keep in mind:
- The private file path must be an absolute path
- The private file path must be outside of the Drupal installation directory
- The private file path must not be accessible over the web
- If you follow these guidelines, your private files will be securely stored and accessible only to authorized users.