Moodle announcements

Prevent profile spam on your Moodle site

Martin Dougiamas
Prevent profile spam on your Moodle site
One of the most common security issues that we see in Moodle sites is profile spam.

Profile spam is primarily a problem on sites with the combination of these two settings:
  1. email authentication is enabled, allowing people to self-create an account on the site
  2. the admin setting forceloginforprofiles is disabled, allowing anyone to see and link to user profiles
Some older versions of Moodle had these as default.

The problems with these settings is that spammers can create a page on the Moodle site which they can fill with links and pictures of porn and other nasty stuff. This in turn comes up in Google searches for those things, and is used to boost ratings to porn sites or hacking sites designed to take over your personal computer. Note that this content is designed for people using search engines, and is usually not available from within the Moodle site itself (since spammers don't join any courses) so users and admins are usually not even aware their site is having this problem.

Please pass the word to all Moodle admins that you know to check these Moodle site settings and make sure their sites are not vulnerable to profile spam. Email authentication should be disabled if not needed, and if it can't then forceloginforprofiles should definitely be enabled.

Please also use our spam-cleaning tool to scan your site to find affected profiles and delete them. This page in the docs has more details: Reducing_spam_in_Moodle and you can also get help in the Security and Privacy forum.