Moodle offers a quick way of detecting major security issues within your platform setup and that is the security overview report. Go to the Reports | Security overview page. A well configured Moodle should display the following screenshot. In case there are discrepancies, then review the explication near each issue that displays a warning and take the appropriate actions.
Right now, we will give you a simple what to do list in order to pass the security check report without going into too much details. Throughout this book, we will explain in more detail each item on this report list.
The security overview report is available starting from Moodle 1.8.9 and 1.9.4. If you have an older version we strongly recommend you perform an upgrade to a more recent one. Meanwhile, follow the instructions and configure your LMS as suggested.
The checklist in security overview report consists of items that compare current configuration of your system with the recommended one and report the status. Some of the items in the checklist apply to the PHP configuration and others apply to the Moodle configuration.
PHP is configured through a special file called php.ini
. The location of this file may vary depending on your OS and type of installation. On Linux it may be usually found at /etc/php.ini
. To modify this file you can use any text editor available (vi, nano, notepad, etc.).
After every modification of php.ini
you must restart your web server so that the changes may be applied to the system.
Moodle can be configured by using the configuration pages in the administrative part of the platform or by modification of a special configuration file called config.php
. Some configuration options are exclusive to the config.php
file while others are exclusive to administration interface.
We will now go through every option in the security overview report and explain briefly what it means together with the actual steps you need to perform in order to remedy potential security flaw.
register_globals = Off
moodledata
folder is placed in a location accessible from the Web without any protection. The solution to this is either to move this folder to some other location or prevent public access with the appropriate web server configuration. For example, if your Moodle is located in /var/www/html/moodle
and your moodledata
is located in /var/www/html/moodledata
the report will show this as an error. To fix this you need to change the location of moodledata to some other directory, for example to /var/www/moodledata
. display_errors
directive determines whether error messages generated by PHP code should be sent to the browser. These messages frequently contain sensitive information about your web application environment, and should never be presented to mistrusted sources. Make sure it is configured like this in your php.ini:
display_errors = Off
EMBED
and OBJECT:
A Moodle configuration option. Go to Administration | Security | Site policies in your Moodle and make sure that the option Allow EMBED and OBJECT tags is not checked. EMBED
and OBJECT
tags are used for inserting third-party web browser plug ins for reproducing multimedia content (Adobe Flash, Apple QuickTime, etc.) or for running special embedded applications like java-applets. Some of these plug ins have well-known security issues and therefore are not recommended for general public usage. By disabling this option we are preventing users to add these elements to their pages or other generated content or responses. .swf
media filter: Moodle configuration option. This should be disabled on production websites. Visit Administration | Modules | Filters | Multimedia Plugins and make sure it is disabled. This filter transforms any link to the Adobe Flash file to playable content by using integrated flash player. Since Flash has security issues this option is best left disabled. config.php
file. Place something like this in your Moodle config.php:
$CFG->passwordsaltmain = '<randomly generated string>';
Be aware that enabling password salt is only possible by editing config.php
. You can generate good password salt by going to the special page designed for that purpose—http://dev.moodle.org/gensalt.php.
config.php:
Make config.php
read-only. For example, on Linux you would do something like this:chmod ug=r,o= <Moodle path>/config.php
18.188.85.135