diff --git a/admin/index.php b/admin/index.php
index ee8f2fc..4cb9602 100644
--- a/admin/index.php
+++ b/admin/index.php
@@ -27,6 +27,7 @@
     $id             = optional_param('id', '', PARAM_ALPHANUM);
     $confirmupgrade = optional_param('confirmupgrade', 0, PARAM_BOOL);
     $agreelicence = optional_param('agreelicence',0, PARAM_BOOL);
+    $datarootconfirmsecure = optional_param('datarootconfirmsecure', 0, PARAM_BOOL);
 
 
 /// Check some PHP server settings
@@ -323,8 +324,19 @@
         print_simple_box(get_string('globalswarning', 'admin'), 'center', '60%');
     }
 
-    if (is_dataroot_insecure()) {
-        print_simple_box(get_string('datarootsecuritywarning', 'admin', $CFG->dataroot), 'center', '60%');
+    if (empty($CFG->datarootconfirmsecure) && !empty($datarootconfirmsecure)) {
+        set_config('datarootconfirmsecure',true);
+    }
+    if (empty($CFG->datarootconfirmsecure) && ($datarooturl = is_dataroot_insecure())) {
+        $options = array();
+        $options['sesskey'] = $USER->sesskey;
+        $options['datarootconfirmsecure'] = 1;
+        print_simple_box_start('center','60%');
+        echo '<div align="center">';
+        print_string('datarootsecuritywarning', 'admin', $datarooturl);
+        print_single_button('index.php', $options, get_string('datarootconfirmsecure', 'admin'), 'post');
+        echo '</div>';
+        print_simple_box_end();
     }
 
 /// If no recently cron run
diff --git a/blocks/admin/block_admin.php b/blocks/admin/block_admin.php
index f481c8b..3824b59 100644
--- a/blocks/admin/block_admin.php
+++ b/blocks/admin/block_admin.php
@@ -31,6 +31,7 @@ class block_admin extends block_list {
 
     function load_content_for_site() {
         global $CFG, $USER;
+	require($CFG->libdir.'/adminlib.php');
 
         if (isadmin()) {
             $this->content->items[] = '<a href="'.$CFG->wwwroot.'/'.$CFG->admin.'/configure.php">'.get_string('configuration').'</a>';
@@ -76,8 +77,11 @@ class block_admin extends block_list {
                 $this->content->items[] = $paymenturl;
                 $this->content->icons[] = '<img src="'.$CFG->pixpath.'/i/payment.gif" alt="" />';
             }
-
-            $this->content->footer = '<a href="'.$CFG->wwwroot.'/'.$CFG->admin.'/">'.get_string('admin').'...</a>';
+            $admin = get_string('admin');
+            if (empty($CFG->datarootconfirmsecure) && is_dataroot_insecure()) {
+                $admin .= get_string('securitywarningspending', 'admin');
+            }
+            $this->content->footer = '<a href="'.$CFG->wwwroot.'/'.$CFG->admin.'/">'.$admin.'...</a>';
         }
     }
 
diff --git a/install.php b/install.php
index 33f7b1f..fae887f 100644
--- a/install.php
+++ b/install.php
@@ -212,6 +212,13 @@ if (isset($_GET['download'])) {
 
 /// Check the directory settings
 
+if (($nextstage == DIRECTORY)) {
+    // Each time we are going to visit the directory settings page, clear the
+    // insecure dataroot confirmation flag (so the user needs to confirm it
+    // again) just in case.
+    unset($INSTALL['datarootconfirmsecure']);
+}
+
 if ($INSTALL['stage'] == DIRECTORY) {
 
     error_reporting(0);
@@ -237,7 +244,14 @@ if ($INSTALL['stage'] == DIRECTORY) {
     if (make_upload_directory('sessions', false) === false ) {
         $errormsg .= get_string('datarooterror', 'install').'<br />';
     }
-    if ($fh) fclose($fh);
+    $CFG->wwwroot = $INSTALL['wwwroot']; // We need wwwroot inside is_dataroot_insecure.
+    if (($datarooturl = is_dataroot_insecure()) && (empty($INSTALL['datarootconfirmsecure']))) {
+        if (empty($errormsg)) {
+            // We don't touch $errormsg here, as the error message is printed inside the form_table
+            // function, but we need to make sure we stay in the stage.
+            $nextstage = DIRECTORY;
+        }
+    }
 
     if (!empty($errormsg)) $nextstage = DIRECTORY;
 
@@ -656,7 +670,7 @@ function print_object($object) {
 //==========================================================================//
 
 function form_table($nextstage = WELCOME, $formaction = "install.php") {
-    global $INSTALL, $db;
+    global $INSTALL, $db, $CFG;
 
     /// Print the standard form if we aren't in the DOWNLOADLANG page
     /// because it has its own form.
@@ -710,6 +724,15 @@ function form_table($nextstage = WELCOME, $formaction = "install.php") {
 
             break;
         case DIRECTORY: /// Directory settings
+            if (!empty($INSTALL['wwwrootform'])) {
+                $CFG->wwwroot = $INSTALL['wwwrootform'];
+                if (($datarooturl = is_dataroot_insecure()) && (empty($INSTALL['datarootconfirmsecure']))) {
+                    $errormsg = get_string('datarootinsecureerror', 'install', $datarooturl);
+                    echo "<p class=\"errormsg\" style=\"text-align:center\">$errormsg</p>\n";
+                    echo '<div><input type="checkbox" name="datarootconfirmsecure" value="1"/> '.
+                        get_string('datarootconfirmsecure', 'install').'</div><br />';
+                }
+            }
 ?>
 
             <tr>
diff --git a/install/lang/en_utf8/installer.php b/install/lang/en_utf8/installer.php
index 0f7e936..f441740 100644
--- a/install/lang/en_utf8/installer.php
+++ b/install/lang/en_utf8/installer.php
@@ -61,6 +61,8 @@ $string['databasesettingssub'] = '<b>Type:</b> mysql or postgres7<br />
        <b>Tables Prefix:</b> optional prefix to use for all table names';
 $string['dataroot'] = 'Data Directory';
 $string['datarooterror'] = 'The \'Data Directory\' you specified could not be found or created.  Either correct the path or create that directory manually.';
+$string['datarootinsecureerror'] = 'SECURITY ALERT!: The \'Data Directory\' you specified could be insecure! Please, click on the following link (<a target=\"_new\" href=\"$a\">$a</a>) and make <u><em>really sure</em></u> you get an <u>Access Denied</u> error. Otherwise all of your contents will be available from the web to anyone, and anyone could impersonate any user account in your system (including the admin account!). If you are <u>really</u> sure the \'Data Directory\' you specified is secure, tick the \'Yes, I have verified it.\' checkbox to continue the installation';
+$string['datarootconfirmsecure'] = 'Yes, I have verified it.';
 $string['dbconnectionerror'] = 'We could not connect to the database you specified. Please check your database settings.';
 $string['dbcreationerror'] = 'Database creation error. Could not create the given database name with the settings provided';
 $string['dbhost'] = 'Host Server';
diff --git a/lang/en_utf8/admin.php b/lang/en_utf8/admin.php
index 1d9d2d7..03497f1 100644
--- a/lang/en_utf8/admin.php
+++ b/lang/en_utf8/admin.php
@@ -132,7 +132,8 @@ $string['confirmation'] = 'Confirmation';
 $string['confirminstall'] = 'You are about to install language pack ($a), are you sure?';
 $string['cronwarning'] = 'The <a href=\"cron.php\">cron.php maintenance script</a> has not been run for at least 24 hours.';
 $string['customcheck'] = 'Other Checks';
-$string['datarootsecuritywarning'] = 'Your site configuration might not be secure. Please make sure that your dataroot directory ($a) is not directly accessible via web.';
+$string['datarootsecuritywarning'] = '<b>SECURITY ALERT!</b>: The \'Data Directory\' you are using could be insecure! Please, click on the following link (<a target=\"_new\" href=\"$a\">$a</a>) and make <u><em>really sure</em></u> you get an <u>Access Denied</u> error. Otherwise all of your contents will be available from the web to anyone, and anyone could impersonate any user account in your system (including the admin account!). If you are <u>really</u> sure the \'Data Directory\' you are using is secure, click on the \'Yes, I have verified it.\' button to remove this security warning.';
+$string['datarootconfirmsecure'] = 'Yes, I have verified it.';
 $string['dbmigrate'] = 'Moodle Database Migration';
 $string['dbmigrationdeprecateddb'] = '<font color=\"#ff0000\">This database is migrated to a new UTF8 database and deprecated. Please edit your config.php and use the new database for this moodle.</font>';
 $string['dbmigrationdupfailed'] = 'Database duplication failed with possible error:<font color=\"#ff0000\"><pre>$a</pre></font>';
@@ -222,6 +223,7 @@ $string['pgcluster'] = 'PostgreSQL Cluster';
 $string['pgclusterdescription'] = 'PostgreSQL version/cluster parameter for command line operations. If you only have one postgresql on your system or you are not sure what this is, leave this blank.';
 $string['php50restricted'] = 'PHP 5.0.x has a number of known problems, please upgrade to 5.1.x or downgrade to 4.3.x or 4.4.x';
 $string['remotelangnotavailable'] = 'Because Moodle can not connect to download.moodle.org, we are unable to do language pack installation automatically. Please download the appropriate zip file(s) from the list below, copy them to your $a directory and unzip them manually.';
+$string['securitywarningspending'] = ' <b>[Security warnings pending! Click here to see them]</b>';
 $string['serverchecks'] = 'Server Checks';
 $string['sitelangchanged'] = 'Site language setting changed successfully';
 $string['sitemaintenance'] = 'The site is undergoing maintenance and is currently not available';
diff --git a/lib/adminlib.php b/lib/adminlib.php
index 56511b5..6b65850 100644
--- a/lib/adminlib.php
+++ b/lib/adminlib.php
@@ -376,7 +376,11 @@ function is_dataroot_insecure() {
     $dataroot = str_replace('\\', '/', $CFG->dataroot.'/');
 
     if (strpos($dataroot, $siteroot) === 0) {
-        return true;
+        $httpdocroot = str_replace('\\', '/', strrev($CFG->dirroot.'/'));
+        preg_match ('|(https?://[^/]+)|i', $CFG->wwwroot, $matches);
+        $httpdocroot = $matches[1];
+        $datarooturl = $httpdocroot.'/'. substr($dataroot, strlen($siteroot));
+        return $datarooturl;
     }
     return false;
 }