Moodle, like any other web application, has the potential to be misused. Moodle has dedicated an entire section to security settings which administrators can use to fine-tune its safety. After an overview of Moodle's security, you will learn about the following topics:
- Security notifications: You will learn how to set up a number of notification mechanisms that warn you about potential security issues and look at the built-in security report.
- User security: We will look at access to Moodle (self-registration, guest access, protection of user details, and course contacts), Moodle passwords, security in roles, and spam prevention.
- Data and content security: We will deal with potential issues in content created within Moodle and the visibility of this content. You will learn how to set up a site policy and configure the antivirus scanner.
- System security: We will discuss configuration settings (location of the data root directory and the cron process), HTTPS, and IP blocker.
We'll conclude the chapter with information on privacy and data protection concerns.
Packt Publishing has a dedicated title on Moodle Security in its portfolio at https://www.packtpub.com/hardware-and-creative/moodle-security. While it covers Moodle 1.9, the majority of the topics are relevant to Moodle 3.x, too.
Moodle takes security extremely seriously, and any potential issues are given the highest priority. Fixed vulnerabilities of serious issues usually trigger the release of minor versions, which emphasize the importance of the subject.
The security of a system is as good as its weakest link. Moodle relies on underlying software, hardware, and network infrastructure; security can potentially be compromised in a number of areas. As the focus of this book is on Moodle and its administration thereof, we only cover the security elements of Moodle per se. The following areas are not dealt with, and it is necessary to consult the respective documentation on security issues:
- Software: As described in Chapter 2, The Moodle System, Moodle's key components comprise a web server (usually Apache or Microsoft IIS), database server (MySQL, MS SQL Server, PostgreSQL, MariaDB, or Oracle), and a programming language (PHP). Additional PHP and operating system extensions are required, for instance, to support the aforementioned database systems. We will be only touching on some Moodle-specific PHP and Apache settings.
- Hardware: Moodle runs on (physical or virtual) servers that have to be physically hosted. There is ongoing debate about the safety and security of such systems, which is reflected by ever-extending precautions by data centers.
- Network: Any system that is part of a network is potentially vulnerable. Configuration of firewalls, proxy servers, and routers as well as general network security are key aspects in protecting your system from any attacks.
A number of these topics are covered at https://docs.moodle.org/en/Security.
One rule that applies to all elements is that the latest software updates should be installed regularly. Updating Moodle was covered in Chapter 1, Moodle Installation.
With the increasing complexity and growing popularity of Moodle, it is imperative that you make sure that all possible measures are taken to prevent any security issues. Let's get started.