diff --git a/admin/index.php b/admin/index.php
index 7529d33..65caab6 100644
--- a/admin/index.php
+++ b/admin/index.php
@@ -32,6 +32,7 @@
     $autopilot      = optional_param('autopilot', 0, PARAM_BOOL);
     $ignoreupgradewarning = optional_param('ignoreupgradewarning', 0, PARAM_BOOL);
     $confirmplugincheck = optional_param('confirmplugincheck', 0, PARAM_BOOL);
+    $datarootconfirmsecure = optional_param('datarootconfirmsecure', 0, PARAM_BOOL);
 
 /// check upgrade status first
     if ($ignoreupgradewarning) {
@@ -536,6 +537,11 @@
         }
     }
 
+/// Move this check befor the call to admin_get_root().
+    if (empty($CFG->datarootconfirmsecure) && !empty($datarootconfirmsecure)) {
+        set_config('datarootconfirmsecure',true);
+    }
+
     $adminroot =& admin_get_root();
 
 /// Check if there are any new admin settings which have still yet to be set
@@ -564,10 +570,17 @@
         print_box(get_string('globalswarning', 'admin'), 'generalbox adminwarning');
     }
 
-    if (is_dataroot_insecure()) {
-        print_box(get_string('datarootsecuritywarning', 'admin', $CFG->dataroot), 'generalbox adminwarning');
-    }
+    if (empty($CFG->datarootconfirmsecure) && ($datarooturl = is_dataroot_insecure())) {
+        print_box_start('generalbox adminwarning');
 
+        print_string('datarootsecuritywarning', 'admin', $datarooturl);
+        $options = array();
+        $options['sesskey'] = $USER->sesskey;
+        $options['datarootconfirmsecure'] = 1;
+        print_single_button('index.php', $options, get_string('datarootconfirmsecure', 'admin'),
+                            'post', '', '', '', '', get_string('confirmverifieddataroot', 'admin'));
+        print_box_end();
+    }
     if (defined('WARN_DISPLAY_ERRORS_ENABLED')) {
         print_box(get_string('displayerrorswarning', 'admin'), 'generalbox adminwarning');
     }
diff --git a/admin/settings/top.php b/admin/settings/top.php
index 4651338..ed69b57 100644
--- a/admin/settings/top.php
+++ b/admin/settings/top.php
@@ -13,7 +13,11 @@ if (get_site()) {
     $hassiteconfig = true;
 }
 
-$ADMIN->add('root', new admin_externalpage('adminnotifications', get_string('notifications'), "$CFG->wwwroot/$CFG->admin/index.php"));
+$adminnotifications = get_string('notifications');
+if (empty($CFG->datarootconfirmsecure) && is_dataroot_insecure()) {
+    $adminnotifications .= get_string('securitywarningspending', 'admin');
+}
+$ADMIN->add('root', new admin_externalpage('adminnotifications', $adminnotifications, "$CFG->wwwroot/$CFG->admin/index.php"));
 
  // hidden upgrade script
 $ADMIN->add('root', new admin_externalpage('upgradesettings', get_string('upgradesettings', 'admin'), "$CFG->wwwroot/$CFG->admin/upgradesettings.php", 'moodle/site:config', true));
diff --git a/install.php b/install.php
index 7f30999..0cd7dae 100644
--- a/install.php
+++ b/install.php
@@ -249,6 +249,13 @@ if (isset($_GET['download'])) {
 
 /// Check the directory settings
 
+if (($nextstage == DIRECTORY)) {
+    // Each time we are going to visit the directory settings page, clear the
+    // insecure dataroot confirmation flag (so the user needs to confirm it
+    // again) just in case.
+    unset($INSTALL['datarootconfirmsecure']);
+}
+
 if ($INSTALL['stage'] == DIRECTORY) {
 
     error_reporting(0);
@@ -274,6 +281,14 @@ if ($INSTALL['stage'] == DIRECTORY) {
     if (make_upload_directory('sessions', false) === false) {
         $errormsg .= get_string('datarooterror', 'install').'<br />';
     }
+    $CFG->wwwroot = $INSTALL['wwwroot']; // We need wwwroot inside is_dataroot_insecure.
+    if (($datarooturl = is_dataroot_insecure()) && (empty($INSTALL['datarootconfirmsecure']))) {
+        if (empty($errormsg)) {
+            // We don't touch $errormsg here, as the error message is printed inside the form_table
+            // function, but we need to make sure we stay in the stage.
+            $nextstage = DIRECTORY;
+        }
+    }
 
     if (!empty($errormsg)) {
         $nextstage = DIRECTORY;
@@ -634,7 +649,7 @@ if ($nextstage == SAVE) {
 //==========================================================================//
 
 function form_table($nextstage, $formaction, $databases) {
-    global $INSTALL, $DB;
+    global $INSTALL, $DB, $CFG;
 
     /// Print the standard form if we aren't in the DOWNLOADLANG page
     /// because it has its own form.
@@ -688,6 +703,15 @@ function form_table($nextstage, $formaction, $databases) {
 
             break;
         case DIRECTORY: /// Directory settings
+            if (!empty($INSTALL['wwwrootform'])) {
+                $CFG->wwwroot = $INSTALL['wwwrootform'];
+                if (($datarooturl = is_dataroot_insecure()) && (empty($INSTALL['datarootconfirmsecure']))) {
+                    $errormsg = get_string('datarootinsecureerror', 'install', $datarooturl);
+                    echo "<p class=\"errormsg\" style=\"text-align:center\">$errormsg</p>\n";
+                    echo '<div><input type="checkbox" name="datarootconfirmsecure" value="1"/> '.
+                        get_string('datarootconfirmsecure', 'install').'</div><br />';
+                }
+            }
 ?>
 
             <tr>
diff --git a/install/lang/en_utf8/installer.php b/install/lang/en_utf8/installer.php
index 26f74af..f22770a 100644
--- a/install/lang/en_utf8/installer.php
+++ b/install/lang/en_utf8/installer.php
@@ -166,6 +166,8 @@ $string['databasetype']='Database type :';
 $string['databaseuser']='Database user :';
 $string['dataroot'] = 'Data Directory';
 $string['datarooterror'] = 'The \'Data Directory\' you specified could not be found or created.  Either correct the path or create that directory manually.';
+$string['datarootinsecureerror'] = 'SECURITY ALERT!: The \'Data Directory\' you specified could be insecure! Please, click on the following link (<a target=\"_new\" href=\"$a\">$a</a>) and make <u><em>really sure</em></u> you get an <u>Access Denied</u> error. Otherwise all of your contents will be available from the web to anyone, and anyone could impersonate any user account in your system (including the admin account!). If you are <u>really</u> sure the \'Data Directory\' you specified is secure, tick the \'Yes, I have verified it.\' checkbox to continue the installation';
+$string['datarootconfirmsecure'] = 'Yes, I have verified it.';
 $string['dbconnectionerror'] = 'We could not connect to the database you specified. Please check your database settings.';
 $string['dbcreationerror'] = 'Database creation error. Could not create the given database name with the settings provided';
 $string['dbhost'] = 'Host Server';
diff --git a/lang/en_utf8/admin.php b/lang/en_utf8/admin.php
index 1ad1eea..627538f 100644
--- a/lang/en_utf8/admin.php
+++ b/lang/en_utf8/admin.php
@@ -248,6 +248,7 @@ $string['configxmlstrictheaders'] = 'Set to on, each page will be generated usin
 $string['configzip'] = 'Indicate the location of your zip program (Unix only, optional).  If specified, this will be used to create zip archives on the server.  If you leave this blank, then Moodle will use internal routines.';
 $string['confirmation'] = 'Confirmation';
 $string['confirminstall'] = 'You are about to install language pack ($a), are you sure?';
+$string['confirmverifieddataroot'] = 'If you have really verified your Data Directory is sure, click OK. Otherwise click Cancel.';
 $string['cookiehttponly'] = 'Only http cookies';
 $string['cookiesecure'] = 'Secure cookies only';
 $string['country'] = 'Default country';
@@ -269,7 +270,8 @@ $string['csvdelimiter'] = 'CSV delimiter';
 $string['curlrecommended'] = 'Installing the optional cURL library is highly recommended in order to enable Moodle Networking functionality.';
 $string['curlrequired'] = 'The cURL PHP extension is now required by Moodle, in order to commnunicate with Moodle repositories.';
 $string['customcheck'] = 'Other Checks';
-$string['datarootsecuritywarning'] = 'Your site configuration might not be secure. Please make sure that your dataroot directory ($a) is not directly accessible via web.';
+$string['datarootsecuritywarning'] = '<b>SECURITY ALERT!</b>: The \'Data Directory\' you are using could be insecure! Please, click on the following link (<a target=\"_new\" href=\"$a\">$a</a>) and make <u><em>really sure</em></u> you get an <u>Access Denied</u> error. Otherwise all of your contents will be available from the web to anyone, and anyone could impersonate any user account in your system (including the admin account!). If you are <u>really</u> sure the \'Data Directory\' you are using is secure, click on the \'Yes, I have verified it.\' button to remove this security warning.';
+$string['datarootconfirmsecure'] = 'Yes, I have verified it.';
 $string['dbmigrate'] = 'Moodle Database Migration';
 $string['dbmigrateconnecerror'] = 'Could not connect to the database specified.';
 $string['dbmigrateencodingerror'] = 'The database specified has encoding $a rather than required UNICODE/UTF8.<br />Please specify another.';
@@ -640,6 +642,7 @@ $string['searchinsettings'] = 'Search in settings';
 $string['sectionerror'] = 'Section Error!';
 $string['secureforms'] = 'Use additional form security';
 $string['security'] = 'Security';
+$string['securitywarningspending'] = ' <b>[Security warnings pending! Click here to see them]</b>';
 $string['server'] = 'Server';
 $string['serverchecks'] = 'Server Checks';
 $string['serverlimit'] = 'Server Limit';
diff --git a/lib/adminlib.php b/lib/adminlib.php
index e5b5f49..eb7e45b 100644
--- a/lib/adminlib.php
+++ b/lib/adminlib.php
@@ -930,7 +930,11 @@ function is_dataroot_insecure() {
     $dataroot = str_replace('\\', '/', $CFG->dataroot.'/');
 
     if (strpos($dataroot, $siteroot) === 0) {
-        return true;
+        $httpdocroot = str_replace('\\', '/', strrev($CFG->dirroot.'/'));
+        preg_match ('|(https?://[^/]+)|i', $CFG->wwwroot, $matches);
+        $httpdocroot = $matches[1];
+        $datarooturl = $httpdocroot.'/'. substr($dataroot, strlen($siteroot));
+        return $datarooturl;
     }
     return false;
 }