Moodle Security Tips for Beginners

Security of a Moodle site is an incredibly important issue for all Moodle site administrators. In educational sector, data security is an incredibly important concern and it makes the job of a Moodle administrator more responsible.

As more and more sensitive data is stored on your Moodle server, you need to be competent enough to handle all such disasters. As the old proverb says ”Prevention is better than cure.” It makes complete sense to close all the security holes and be ready for any disaster.

With every new version release Moodle is upgraded to make Moodle more safe and secure. By default, Moodle core provides a security checks report where you can see the current status of security on your Moodle site. It is available for site administrators under Site administration > Reports > Security checks.

The report provides the recommendations from over two decades of Moodle usage by community. However there may be some security issues, so here are some recommendation to keep you Moodle site secure and safe.

• Keep your Moodle up to date – Moodle releases minor point releases after every two months from the first major version release which includes a lot of bugs and security issues fixed. As per the recent stats, many websites are still using Moodle 3.5 version.
• Keep all plugins and themes update – Just as you update Moodle core, Moodle plugins needs to be updates along with the themes. Unless properly secured, Moodle plugins can also be backdoor entry to your Moodle site.
• Remove unnecessary plugins – Why to keep all plugins which you are not at all using, you should uninstall them asap. Moodle has a useful information to show you the list of courses where any particular activity plugin is used. You can check out the same through Site Administrator > Plugins > Activities > Manage Activities (Blocks) etc. If you are not using a plugin installed on your Moodle site, it’s a better to uninstall it.
• Implement a password policy and change your passwords often – Moodle offers to set a password policy for all users on your Moodle site. By enforcing a password policy, you can force users to use stronger passwords that are less susceptible to being cracked by an intruder. It is generally a good practice to change your passwords often to make sure safety.
• Don’t use admin as your username – Most site administrators keep the administrator username as simple as admin which results in easy pickings for the hackers. Make sure to keep a username with strong character combinations.
• Limit login attempts – Under Site policies > Account lockout, you can set up the threshold limit of incorrect login attempts to prevent DDoS attacks.
• Set Backups – Regular backups are necessary to prevent any disruption due to any hardware issue or any security failure. As a Moodle administrator, you must make sure that a robust backup process is in place.
• Use HTTPS for login – HTTPS encrypts the user’s login data, so it’s difficult to sniff out a user’s username and password on the network. In Moodle, HTTPS logins can be enabled by an administrator in Settings > Site administration > Security > HTTP security.
• Change file permissions – File and folder permissions are set of rules that “specify who and what can read, write, modify and access them” in your Moodle website. Avoid configuring Moodle directories and sub directories with 777 permissions. You should opt for 755 or 750 instead.
• Set Cron execution via command line only – Running the cron from a web browser can expose privileged information to anonymous users.  Under site policies, you can run the cron from the command line or set a cron password for remote access.

What are the other security tips you would like to share with Moodle community to keep Moodle safe? Pl share with us in the comments below.