Security and privacy

What software does your University recommend, both for a VLE and in general?

Jesse, I appreciate your issue.  I am not an expert on this but I will give you some of my ideas.

First, your University might have a point about security.  One thing you might want to do is install an SSL certificate.  Also, you should make sure to always install Moodle security updates.  If you have your own server, you should also install the server security updates.  Make sure to use adequate moodle password policies.  Doing these things, you would probably be able to claim that your moodle is equal, or more secure than most of the University systems.

Second, my guess is that your university is afraid of Moodle.  It is probably better than what they are using, your student comments about moodle are very positive, and better than what the school is using, and your school doesn't like being embarrassed by a faculty providing a higher quality learning environment than what you IT department can provide.  So they may be trying to make up some excuses as to why you cannot run Moodle.

Moodle is used by many schools throughout the world.  If moodle were not secure, very few major universities would be using it.  Right?

We read about computer software and systems being "hacked" every day.  The only way to keep computer systems, and information, secure is to not put information on any computer system.

Well, maybe my comments will stimulate some useful discussion for you.  Again, I am not an expert on this topic but any day could be in your same situation.

Jesse,

Like you said wordpress sites were hacked, YES, but then there are reasons, just like you'll find more viruses and malwares for Windows platform than Linux or MAC, the main reason behind it is the market share, so if someone is developing the virus or trying finding security loopholes for something first thing coming into their mind is the market share, and wordpress does have a huge market share on blogging market, so you can expect hackers to continuously trying finding the security loopholes in wordpress code.

Now talking about Moodle, this is work of thousand of developers over a decade's work continuously improving over security, stability and functionality of Moodle. Where Moodle is out for more time than Wordpress (as you mentioned Wordpress), never in my years of experience in Moodle I have heard Moodle being hacked.

Though Moodle have documentation of restoring the site in case of attack, but then it is as well expected that the users have their own security parameters in place. 

Just in case (though very very unlikely) God forbids, that your Moodle gets hacked, then it's not Moodle's vulnerability, but your web and database servers and these things are out of scope of Moodle as a learning management system.

If you are too worried, get a Juniper SSG firewall on your server. 

The more popular any software gets, the more hackers will try to compromise it--hence the constant attacks against WordPress. Securing Moodle is the same as securing any other web application:

1. Make sure your environment is up-to-date. Developers are constantly finding security bugs in Windows, Linux, PHP, and other components that web applications depend on. If you don't apply ALL the security patches, then you're just asking to be hacked. If you're using shared hosting or someone else's server, the best you can do is ask them to keep it up-to-date. I recently had to change webhosts for Moodle because they simply wouldn't do this.
   
2. Make sure your Moodle is up-to-date. As with the environment, not applying security patches or not staying on a supported version of Moodle is asking to be hacked.
3. Secure the transmission. Get an SSL certificate (really cheap at ssls.com) and make your site https. Use www.ssllabs.com/ssltest/ to make sure the web server implements secure ciphers and protocols. Similar comments to #1--you may not be able to use secure ciphers and protocols if you don't control the environment or if you're using Windows.
   
4. Make sure you have reasonable session timeouts and password rules. All the security in the world is useless if your teachers or students use "password" as their password.
   

Am I right in presuming that your Moodle installation is not "approved" by your University? What we sometimes call an "under the desk" installation. 

IT departments spend a lot of time worrying about security whereas people running services "off the map" may not be so keen on that boring stuff. 

Perhaps this is what they are worried about rather than Moodle itself? Just a thought...