Creating a Private Filesystem on OIT Web Hosting

Drupal Version

Setting up a private filesystem requires some under-the-hood configuration, so the following is recommended only for someone who already understands filesystems and editing configuration files.

These instructions are tailored for the OIT Web Hosting Plesk servers, but can be adapted to other configurations. Instructions are based on using the Plesk GUI, but you can also accomplish all of the Plesk related steps from an SSH connection if you are more comfortable in a command line environment.


  1. Connect to your hosting account's Plesk console.

  2. Go to the File Manager

  3. Create a new subdirectory for your private files

    1. On the first File Manager screen, select Home Directory to move to your hosting account's home directory.

    2. Select the blue "+" button to the left of the "Copy", "Move", "Archive", etc. buttons, and select Create Directory.

    3. Give your new directory a suitable name (these instructions will call it "files-private").

  4. Edit your site's settings.php file

    1. In File Manager, navigate into httpdocs/sites/default

    2. Find "settings.php" and use the drop-down selection at the right end of the line to Change Permissions.  Give "Owner" the "Write" permission and save.

    3. Use the drop-down on the "settings.php" line to Edit in Code Editor

    4. Search for "Private file path" and read the instructions there.

    5. Uncomment the line of code that sets the "file_private_path" value, and fill in the value like so: /var/www/vhosts/

      • Important: "" should be replaced with your hosting account ID, which is the domain name shown when you first open your Plesk control panel - this may not always be the domain name you normally use to access your site.  Also, "files-private" should be the directory you created in step 3 above.

  5. Save your changes, then open a new browser window, log into your site as an administrator, and clear all of the caches.

  6. Go to the site Status Report (administrative toolbar -> Reports -> Status report and make sure there are no errors.  Also go to Reports -> Recent log messages and look for any error or warning messages there.

If all looks good, then move on to the next section.  Otherwise, troubleshoot any problems first.

Create a Private Attachments Field

  1. While logged into your site as an administrator, go to Structure -> Content types -> Basic page -> Manage fields

  2. Create a new field of type File and call it something like "Secure Attachments" or "Private Attachments" to distinguish it from the existing "Attachments" field.  Specify a subdirectory value like "campusonly" (or perhaps "campusonly/[date:custom:Y]-[date:custom:m]" if you want files organized in further subdirectories based on the month they were uploaded).  Configure the rest of the field as you wish, making sure you set the file size limit and allowed file extensions to meet your needs.

  3. If you are going to apply any kind of access restrictions to some or all of your private filesystem, then you will need to know the system path you want to protect, which is different from the path you put into the settings.php file earilier.

    1. The base system path for the private filesystem in Drupal is "/system/files".  Adding any rules for this base path will restrict all private files in all use cases, which may be more than you need.

    2. When you created your Secure Attachments field, you specified a subdirectory.  To protect just the files connected to that field, add the subdirectory to the base path to get the full system path for that subdirectory (e.g. "/system/files/campusonly")  Adding rules for this path will only protect files in the "/campusonly" subdirectory of the private filesystem while ignoring all other private files.