Warning Required Private Directories

the system check gives me the follwing warnings:

WARNING: ..../plugins/Diagnostics/Diagnostic/RequiredPrivateDirectories.php(138): Warning - trim() expects parameter 1 to be string, array given - Matomo 4.3.1 - Please report this message in the Matomo forums: https://forum.matomo.org (please do a search first as it might have been reported already) (Module: Installation, Action: systemCheckPage, In CLI mode: false)

WARNING: /home/mgdata/domains/mgdata.se/public_html/stats/plugins/Diagnostics/Diagnostic/RequiredPrivateDirectories.php(142): Warning - strpos() expects parameter 1 to be string, array given - Matomo 4.3.1 -

and also the message:
We found that the above URLs are accessible via the browser, but they should NOT be. …
We also found that Matomo’s config directory is publicly accessible. …

The errors did not exist until some time ago.
I’m on a shared host (Litespeed) and have no idea what to do. I also have the impression that visitor tracking collects incorrect values, but that is perhaps another topic


It turns out there is indeed a bug in one part of this check. This should fix it:

You can apply this change to the plugins/Diagnostics/Diagnostic/RequiredPrivateDirectories.php file by replacing the lines in red with the ones in green (so adding ['data'] twice)

diff --git a/plugins/Diagnostics/Diagnostic/RequiredPrivateDirectories.php b/plugins/Diagnostics/Diagnostic/RequiredPrivateDirectories.php
index 74d41756819..40be4ee1e42 100644
--- a/plugins/Diagnostics/Diagnostic/RequiredPrivateDirectories.php
+++ b/plugins/Diagnostics/Diagnostic/RequiredPrivateDirectories.php
@@ -135,11 +135,11 @@ private function isAccessible(DiagnosticResult $result, $testUrl, $publicIfRespo
                     return true;
-                if (trim($response) === $publicIfResponseEquals) {
+                if (trim($response['data']) === $publicIfResponseEquals) {
                     // we assume it is publicly accessible because either the exact expected content is returned or because we don't check for content match
                     $result->addItem(new DiagnosticResultItem(DiagnosticResult::STATUS_ERROR, $testUrl));
                     return true;
-                } elseif (strpos($response, $publicIfResponseContains) !== false) {
+                } elseif (strpos($response['data'], $publicIfResponseContains) !== false) {
                     // we assume it is publicly accessible because a unique content is included in the response or because we don't check for content contains
                     $result->addItem(new DiagnosticResultItem(DiagnosticResult::STATUS_ERROR, $testUrl));
                     return true;
1 Like

Thanks a lot for the fast help!
Solved the problem for me.

1 Like

I’m confused about this post. I just updated to the latest and still seeing the same error.
How exactly do I fix this? I figured the update to 4.4.0 would take care of this without having to edit code?

System Check

  • Required Private Directories

Matomo version: 4.4.0
MySQL version: 10.5.10-MariaDB
PHP version: 7.4.20

# ./console diagnostics:run
Required Private Directories:
        - ERROR https://xxx/config/config.ini.php
        - ERROR https://xxx/tmp/
        - ERROR https://xxx/tmp/empty
        - ERROR https://xxx/tmp/cache/tracker/matomocache_general.php
        - ERROR https://xxx/lang/en.json
1 errors detected


The bug above is just in the exact setup lasse had. (where the pages weren’t public, but there was a redirect instead of an error page).

To remove the warning, make sure that these URLs can’t be accessed by any person on the internet. How to do this totally depends on your webserver setup, but checking if the .htaccess files are generated and support for them is enabled, would be one way for Apache. For other webservers, write access rules that are equivalent (or e.g. use the offical nginx config)

Thanks for your reply. Yes, I’ll check to make sure those aren’t public. I tested using tor and they weren’t which is why I wondered about the warning.

Just wanting to confirm however, is this still a bug or you mentioned it’s something to do with certain setups?


This is not a bug in Matomo. The reason why so many people are reporting it recently is just that the check was added in Matomo 4.3.0.

Matomo simply requests all of these URLs and checks if they return a 404 or 403.