Security of a Moodle site is an incredibly important issue for all Moodle site administrators. Following the much publicized ransomware “Wannacry” and “Petya”, it is much more stringent task for all Moodle site administrators to keep their Moodle sites secured. In educational sector, data security is an incredibly important concern and it makes the job of a Moodle administrator more responsible.
As more and more sensitive data is stored on your Moodle server, you need to be competent enough to handle all such disasters. As the old proverb says” Prevention is better than cure.” It makes complete sense to be close all the security holes and be ready for any disaster.
Moodle also provides a security overview report where you can see the current status of security on your Moodle site. It is available for site administrators in Administration > Site administration > Reports > Security overview.
In this article, I am going to list down the top 10 security tips which will help all new Moodle site administrators to protect their websites from all vulnerabilities. However, this is not an exhaustive list, and the security of your Moodle site depends upon the environment, configuration, software’s etc.
Top 10 security tips for Moodle site:
Here are the top 10 security tips to improve the security of your Moodle site:
- Keep your Moodle up to date – Moodle releases minor point releases after every two months from the first major version release which includes a lot of bugs and security issues fixed. As per the recent Moodle stats still a lot of Moodle site admins are using Moodle 1.9 version which is not supported since long back.
- Keep all plugins and themes update – Just as you update Moodle core, Moodle plugins needs to be updates along with the themes. Unless properly secured, Moodle plugins can also be backdoor entry to your Moodle site.
- Remove unnecessary plugins – Why to keep all plugins which you are not at all using, you should uninstall them asap. Moodle has a useful information to show you the list of courses where any particular activity plugin is used. You can check out the same through Site Administrator > Plugins > Activities > Manage Activities (Blocks) etc. If you are not using any more plugin installed on your Moodle site, it’s a better to uninstall it.
- Implement a password policy and change your passwords often – Moodle offers to set a password policy for all users on your Moodle site. By enforcing a password policy, you can force users to use stronger passwords that are less susceptible to being cracked by an intruder. It is generally a good practice to change your passwords often to make sure safety.
- Don’t use admin as your username – Most site administrators keep the administrator username as simple as admin which results in easy pickings for the hackers. Make sure to keep a username with strong character combinations.
- Limit login attempts – Under Site policies > Account lockout, you can set up the threshold limit of incorrect login attempts to prevent DDoS attacks.
- Set Backups – Regular backups are necessary to prevent any disruption due to any hardware issue or any security failure. As a Moodle administrator, you must make sure that a robust backup process is in place.
- Use HTTPS for login – HTTPS encrypts the user’s login data, so it’s difficult to sniff out a user’s username and password on the network. In Moodle, HTTPS logins can be enabled by an administrator in Settings > Site administration > Security > HTTP security.
- Change file permissions – File and folder permissions are set of rules that “specify who and what can read, write, modify and access them” in your Moodle website. Avoid configuring Moodle directories and sub directories with 777 permissions. You should opt for 755 or 750 instead.
- Set Cron execution via command line only – Running the cron from a web browser can expose privileged information to anonymous users. Under site policies, you can run the cron from the command line or set a cron password for remote access.