Moodle, like any other web application, has the potential to be misused. Moodle has dedicated an entire section to security settings that administrators can use to fine-tune its safety. After an overview of Moodle’s security, you will learn about the following topics:
Before we cover the four aforementioned topics, let’s provide an overview of Moodle security, touching upon all layers of the technology stack.
Moodle takes security extremely seriously, and any potential issues are given the highest priority. Fixed vulnerabilities of serious issues usually trigger the release of minor versions, emphasizing the subject’s importance.
The following diagram illustrates the layers of a typical Moodle setup where the security of each component has to be ensured:
Figure 13.1 – Moodle security
The security of a system is as good as its weakest link. Since Moodle relies on underlying software, hardware, and network infrastructure, security can potentially be compromised in several areas. As this book focuses on Moodle administration, we only cover the security elements of Moodle per se. The following areas are not dealt with, and it is necessary to consult the respective documentation and experts on security issues:
A number of these topics are covered at docs.moodle.org/en/Security.
Important note
One rule that applies to all elements is that the latest software updates should be installed regularly.
With the increasing complexity and growing popularity of Moodle, it is imperative that you ensure that all possible measures are taken to prevent any security issues. Let’s get started with security notifications.
Moodle has set up a dedicated site at moodle.org/security that deals with security issues. If you register your Moodle instance, which is highly recommended, your email address will automatically be added to the security alerts mailing list, which gives you advanced notice of vulnerabilities and updates a couple of days prior to public release. To set this up, go to Site administration | General | Registration, fill in the required information, and click on the Register your site button.
Alternatively, follow the @moodlesecurity Twitter handle to be notified of any Moodle security announcements.
Once you are up to date with general security issues, it is time to focus on being aware of any potential issues on your Moodle system. In the remainder of this section, we will deal with setting up Moodle notifications and inspecting the built-in system report.
When you navigate to Site administration | General | Notifications, Moodle will display any potential issues with your site. This link also initiates the installed Moodle updates and plugins (refer to Chapter 8, Understanding Moodle Plugins).
Four messages are displayed in the following screenshot; the second and third issues would clearly fall into the security category:
Figure 13.2 – Moodle notifications
Moodle monitors failed login attempts in its log file, as described in Chapter 12, Gaining Insights through Moodle Reporting and Analytics. Repeated login failures can indicate that unauthorized users are trying to access your system. In addition to checking your log files regularly, you should consider monitoring these activities by configuring the settings when you navigate to Site administration | General | Security | Notifications:
Figure 13.3 – Security notifications
You can specify whether users will see messages displayed on their screens about previously failed logins and who will be emailed about login failures. You can further set the number of failed logins from the same IP address that will trigger these notifications.
While this is not a foolproof threat alert, it can potentially highlight some problems within your system, and it is therefore recommended that you activate it. Another benefit of receiving these notifications by email is the customer care aspect of getting back to legitimate users who have felt frustrated when trying to access your site.
Another mechanism that we already mentioned in Chapter 12, Gaining Insights through Moodle Reporting and Analytics, is the security report you find at Site administration | Reports | Security checks:
Figure 13.4 – Security checks
The report shows several potential key security issues, their status (OK, Info, Warning, Critical, or Error), and a summary. When you click on an issue name, you will be redirected to a page that provides more information about the problem and, if available, a further Action link to the settings page where you can rectify the situation.
The Security checks page is a good starting point to identify some potential issues. However, it does not replace a full security audit, penetration test, or health check offered by some Moodle Partners.
Awareness of what is going on in your Moodle system is as critical as ensuring the security of critical components. Let’s start with the weakest link in any IT setup – users.
A critical security aspect lies in ensuring that only privileged users can access your system and, once they are authenticated, they only have access to their privileged areas in Moodle.
Here is a quick recap of the key elements concerning security in the magic Moodle triangle – users, courses, and roles:
In this section, we will focus on three topics impacting users’ security:
Let’s start with Moodle passwords, a topic impacting all Moodle users.
Moodle offers a password policy feature that applies to manual accounts, which can be configured by going to Site administration | General | Security | Site security policies, as shown in the following screenshots:
Figure 13.5 – Password policy
Moodle’s password policy supports the following configuration option types:
Bear in mind that the password policy only applies to manual accounts. If you use a different authentication method, the lockout thresholds will be defined elsewhere – for instance, within the Lightweight directory access protocol (LDAP) instance.
Important note
It is highly recommended that you use a strong password (long, complex, and random) for the Moodle administrator account(s), even if the password policy has been deactivated.
Moodle stores passwords in a cryptographic hash using bcrypt (Blowfish). To further improve password security, Moodle supports password salting, which adds a separate random string to the hash of each user’s password. The password stored in the Moodle database has the following format:
$<hash_id>$<cost>$<secure salt><hash>
<hash_id> is the ID of the hashing algorithm used (2y for bcrypt), and <cost> is the cost of using that algorithm (two digits). <secure salt> is a randomly generated 22-character salt; you can find more details on salting at docs.moodle.org/en/Password_salting. <hash> is a 31-character hash of the actual password.
If you ever lose your admin password and have no means of recovering it, you have two options:
UPDATE mdl_user
SET password = MD5('newpassword')
WHERE username = 'admin';
If your database does not support the MD5 function, you must set the password to the actual MD5 hash tag. For example, this would be 5e9d11a14ad1c8dd77e98ef9b53fd1ba for 'newpassword'. Use one of the many available online generators to find out the tag.
sudo -u www-data /usr/bin/php admin/cli/reset_password.php --username=admin --password=newpassword --ignore-password-policy
The passwords prevent users from unauthorized access to Moodle. Once users have identified themselves, the next step is to protect their user details, which is the topic of the following subsection.
Identity theft is a common problem on the internet, and Moodle is no exception. To avoid the possibility of fraudsters gathering details about authenticated users, a number of settings can be seen by navigating to Site administration | General | Security | Site security policies:
There are two more related parameters further down in the Site security settings screen. You can activate Email change confirmation. If set to Yes, users will be sent an email to confirm that their change of email address in their profile is genuine. Moodle offers a means to remember usernames via cookies, which will be entered in the login form when opened. While this is convenient for the end user, it poses a potential security risk. To prevent this feature from being supported, configure the Remember username parameter by going to Site administration | General | Security | Site security policies. Since usernames are stored in a permanent cookie, this potentially infringes user privacy (see Chapter 14, Complying with Data Protection Regulations).
By default, Moodle triggers a notification when a login has taken place by a user from a new device. To avoid users deactivating this security measure, you might want to change the New Login notifications status to Locked in Site administration | General | Messaging | Notification settings.
Related to the protection of user details is the prevention of profile spam, which we will cover in the last topic of the user security section.
If Moodle is not configured correctly, it allows spammers to insert content into user profiles of accounts created via self-registration.
Important note
Only use email-based self-registration if it is indispensable.
If you must use self-registration, ensure to undertake the following measures:
To prevent profile spam, also make sure that the following settings in General | Security | Site security policies are set correctly (which they are, by default):
Also, be aware that legit users can be the cause of spam. Ensure that no user has any unnecessary capabilities in their roles that allow for this (refer to spam risk in Chapter 6, Managing Permissions, Roles, and Capabilities).
If your site has been victim to spam, go to Site administration | Reports | Spam cleaner. You can either let Moodle autodetect common spam patterns (the list makes for some interesting reading!) or search for your own keywords:
Figure 13.6 – Spam cleaner
Any user profiles where the Description field contains any of the listed keywords are shown. You then have the option to delete the user account(s). For more information on spam prevention in Moodle, check out docs.moodle.org/en/Reducing_spam_in_Moodle.
This concludes the section on user security, where we have covered the configuration of Moodle passwords, protection of user details, and spam prevention. Next up is content security.
Content by learners and teachers can potentially contain malicious code, and once created, it needs to be protected from unauthorized access. This section will ensure content security (namely, content created within Moodle), content visibility, and antivirus scanners.
Users can create Moodle content by using the Atto editor or uploading files. Two settings are available in Site administration | General | Security | Site security policies to partly prevent the misuse of these:
Figure 13.7 – Content security settings
The two parameters are as follows:
If you wish to censor obscene or other unwanted words entered by learners in activities such as forums, Moodle has developed a Word censorship filter and made it available as a plugin (moodle.org/plugins/filter_censor). Once installed and enabled, you can enter a list of censored words and phrases to be blacked out in Site administration | Plugins | Filters | Word censorship. Alternatively, you can edit the badwords language string in filter_censor.php (be careful, as this list is far from G-rated). Also, bear in mind that the filter picks up words within words and marks valid terms, such as cocktail, sextant, sparse, and altitude.
Okay, before your imagination runs completely wild, let’s set up content visibility next.
Blogging, tagging, and commenting are Moodle social networking activities. Blog entries, tags, and comments are harnessed for searching, sharing, and performing other collaborative activities to match interests. The potential issue is that the content is visible to users who should not be able to share or view entries. Moodle has catered for this by providing several settings, which we have already dealt with in the Configuring collaboration tools section in Chapter 9, Configuring Educational Features. Here is a list of areas where the respective functionalities need to be turned on and off:
If you deactivate any mechanisms, tags, comments, and blog entries that are already on the system or kept hidden, they will reappear when the functionality is turned on again. In other words, there is no risk of data loss when turning the functionality off and back on.
You might also consider creating a dedicated role on your system – for example, a Blogger role utilizing the moodle/blog:create capability. This will limit blogging to specific users only – those who have been assigned the new role. You can find more details on the Blogger role in the Moodle Docs at docs.moodle.org/en/Blogger_role.
The last component of content security is the configuration of virus scanners, which is dealt with in the following subsection.
Moodle supports the scanning of uploaded files for viruses, which can be configured at Site administration | Plugins | Antivirus plugins | Manage antivirus plugins:
Figure 13.8 – Managing antivirus plugins
There are some common antivirus settings applicable to all antivirus plugins. The three-step process behind Moodle’s (and most other) antivirus scanning mechanism is as follows:
ClamAV is available as a standard scanner; more antivirus plugins are available from the Moodle plugins directory at moodle.org/plugins/?q=type:antivirus. ClamAV is an open-source antivirus engine. Refer to www.clamav.net for more details, downloads for different operating systems, and how to keep the virus definition database up to date. You must install ClamAV on your system before the scanner can be configured via the Settings link.
There are two running methods for ClamAV:
ClamAV has two limitations. First, ClamAV does not exist for Windows servers, and you will need to install a Windows-based virus scanner to provide this functionality and monitor any quarantined files separately. Second, ClamAV will impact your system’s performance, which becomes an issue if the file upload facility is plentifully used. If this is the case, you might have to allocate 10–20% more RAM to your server(s).
This concludes the section on content security, where we covered content created within Moodle, content visibility, and antivirus scanners. The last section deals with ensuring system security.
In the last section of this Moodle security chapter, we deal with configuration settings impacting system security, covering access to dataroot, cron execution, secure HTTP, and the IP blocker.
In the Notifications screenshot earlier in the chapter, you probably spotted the warning that the dataroot directory is directly accessible via the internet. Moodle requires additional space on a server to store uploaded files, such as course documents and user pictures. The directory is called dataroot and must not be accessible via the web. If this directory is accessible directly, unauthorized users can get access to content.
Important note
$CFG->dataroot must not be accessible via the web!
To prevent dataroot from being accessible, move the directory outside the web directory (ensure not to mangle permissions) and modify config.php accordingly by changing the $CFG->dataroot entry.
In externally hosted environments, it is often not possible to locate the directory outside the web directory. If this is the case, create a file called .htaccess in the data directory and add a line containing denyfromall.
The second system security measure is the protection of the execution of the cron process, which is covered next.
We have already described the cron process in Chapter 1, Installing Moodle, and will go into more detail about this in Chapter 15, Optimizing Moodle Performance. cron is a script that regularly runs to perform certain operations, such as sending notifications, processing statistics, and cleaning up temporary files. Scripts that run at the operating system level can potentially contain malicious code.
It is possible to run a script via a web browser by simply typing in the following URL: <yourMoodlesite>/admin/cron.php. Two mutually exclusive settings can be set in Site administration | General | Security | Site policies to prevent this:
Figure 13.9 – Configuring cron execution
If you only allow the cron process to be executed from the command line, running the script via a web browser will be disabled, and a message will be displayed, saying Sorry, internet access to this page has been disabled by the administrator. The cron process can still be executed automatically if it’s set up correctly.
If the Cron password for remote access parameter is set, Moodle requires that executing the cron script via a web browser requires the provision of a password in the form of a parameter, such as <yourMoodlesite>/admin/cron.php?password=yourpassword. If the password is not provided or is incorrect, an error message, which is the same as the one we saw earlier, is displayed.
Next up is the configuration of HTTP security.
Moodle offers full HTTPS support, which runs HTTP requests over SSL (a more secure but slightly slower socket layer). Given the rapid advance in hacking technology and the negligible cost of SSL certificates, every public-facing web page containing user data should run over HTTPS.
Important note
Repeat after me: every public-facing Moodle site should run over HTTPS, with no exception.
To ensure that all data transferred from a user’s browser to the server that hosts Moodle is encrypted, HTTPS must be enabled on your web server. You will also have to purchase or generate an SSL certificate. Every web server has a different method to enable HTTPS, so you should consult your server’s documentation. A good starting point for setting up SSL/TSL for Apache can be found at httpd.apache.org/docs/current/ssl/ssl_howto.html.
Once the web server has been configured to work with HTTPS, the Moodle installation script will work with those details (see Chapter 1, Installing Moodle). If you need to transition from HTTP to HTTPS, we recommend that you follow the instructions on Moodle Docs (docs.moodle.org/en/Transitioning_to_HTTPS) and make use of the HTTPS conversion tool provided by Moodle at the bottom of Site administration | General | Security | HTTP security:
Figure 13.10 – HTTPS conversion tool
The tool performs two tasks. First, it scans any course content and notifies you if there are any potential issues or conflicts. Second, once you have ticked the confirmation box, an irreversible conversion is performed; all HTTP links are changed to HTTPS.
The tool can also be executed in CLI mode using the following syntax:
sudo -u www-data /usr/bin/php admin/tool/httpsreplace/cli/url_replace.php --replace --confirm
For more details on the tool, consult docs.moodle.org/en/HTTPS_conversion_tool.
Important note
If you turn on HTTPS without the relevant system components installed – that is, the PHP extension added along with the correct web server configuration – you will lock yourself out of your system!
There are a number of related settings in Site administration | General | Security | HTTP security that you should double-check:
HTTP security defines over what protocol your Moodle instance is accessed and the related settings. The last system security topic deals with allowing and blocking IP addresses accessing your site.
Users will access your system from stationary and mobile devices. What they all have in common is that they will access your site via an IP address. You can limit this access by specifying an allowlist and a denylist at Site administration | General | Security | IP blocker:
Figure 13.11 – IP blocker
The allowlist (Allowed IP list) can contain IP addresses in several formats (the full IP address, partial address, ranges of IPs, and the CDIR notation). The same applies to the denylist (Blocked IP list). By default, the denylist has priority over the allowlist. If you wish to reverse this, select Allowed list will be processed first.
Important note
Be aware that with any entries in the allowlist, the effect is to allow ONLY those IP addresses and block all others. Exercise care with this setting, as it is possible to lock yourself out of Moodle.
For example, you might want to add 192.168.*.* to your allowlist, and denylist a particular IP – say, 192.168.123.45 – that was trying to guess your admin password multiple times.
This concludes the section on system security, in which we dealt with access to dataroot, cron execution, HTTPS, and IP blockers.
This chapter taught you how to protect your Moodle system from potential misuse and to keep a regular check on its security. To summarize, here is a short list of best practices in the following checklist. While this list is by no means complete, it gives an indication of the elements you are responsible for as a Moodle administrator:
Figure 13.12 – Moodle security best practices
It is important to stress that Moodle’s security is only a single variable in the overall equation. Ensure that all other underlying software, infrastructure, and hardware components are set up correctly as well.
It is also important to stress the importance of an emergency plan if a security threat arises. This includes a strategy for identifying the problem, measures to resolve the situation, and a list of users to notify, among others.
Most Moodle systems run on the LAMP platform, which has proven to be very secure if configured correctly. Moodle’s developers are very conscious that security is vital when dealing with personal user data, such as grades, assignments, and competencies. Hence, the topic has been given the highest priority. However, there is no guarantee that your system is 100% protected against misuse. New hacking techniques will emerge in today’s world of cyber threats, and users will continue to be careless with their credentials (you have all seen the Post-it notes under the keyboard). So, ensure security patches and updates on your entire system, not just Moodle, are always up to date, and keep educating your users about the dangers. Also, consider undergoing a regular security audit or health check, which some Moodle Partners offer.
Now that your system is secure, let’s ensure that its privacy setup complies with data protection regulations.
3.145.172.146