Additional security measures for Moodle

Additional security measures for Moodle

by John Rambo -
Number of replies: 8

Hi there


I am new to Moodle and have managed to set up a site that will be used for online courses, but beginning quite small. It is hosted on a shared server. For diverse reasons, VPS is not possible at this time.

I recently updated to the current newest version and all is up-to-date.

In the case of the Content Management Systems I am more conversant with like Drupal & Wordpress, especially if you have public registration, it is mostly important to add some modules in areas like security, like Captcha, firewalls, etc to help prevent spam registrations and posts and limit chances of code injection.

What additional measures to a basic Moodle installation do the experienced folks here recommend in this area?

Thank you in advance

Average of ratings: Useful (1)
In reply to John Rambo

Re: Additional security measures for Moodle

by Mary Cooch -
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators
Hello. The documentation has some Security recommendations if that helps.
Average of ratings: Useful (1)
In reply to Mary Cooch

Re: Additional security measures for Moodle

by John Rambo -

Hi there


Thank you for the very fast response smile

It will definitely help as a preliminary look at the recommendations shows.  We have most implemented, but we will do more.

A question, though specifically about plugins in particular is, are there any that can be recommended to improve security to a basic Moodle set-up, especially on a shared hosting or one does not need any?

Thank you & kind regards

Average of ratings: Useful (1)
In reply to Mary Cooch

Re: Additional security measures for Moodle

by Richard Oelmann -
Picture of Core developers Picture of Plugin developers Picture of Testers
Links from the page that Mary gave you will take you to https://docs.moodle.org/30/en/Reducing_spam_in_Moodle#Allowing_self-registration on the 'Reducing Spam' page (via the Security FAQ link at the bottom of Mary's link) which may answer some of your questions.

In most cases additional modules are not generally needed in Moodle as the security options are fairly good within the core Moodle options, eg. Guests cannot post to forums etc by default anyway; most users (unless given teacher/admin capabilities) would not be able to post script in any of the editor locations (such as forum posts) as this is stripped out as untrusted content unless that user role has specifically been given that trusted status; even if logged in, users are given the Authenticated User role site wide and generally roles such as student or teacher are only given within specific courses, so you can further control what a user can do outside their enrolled courses by adjusting the authenticated user capabilities if required.
Also, if you don't add an open forum on your front page, the only forums the user would be able to get to to add content of any kind would be on any courses they enrol onto. You can further control that by not allowing Guest access to those courses and forcing a password for any self-registration options - that then becomes a balance for your site between how open you need your content to be and how secure. You can make it more secure by not allowing self-registration or self-enrolment at all, but that is likely to increase your admin time.

All of that is using core moodle, without any additional plugins (although you do need an account with recaptcha to use that). With the course enrolments there is one additional plugin in the database that may be useful, which requires an approval step in any self-enrolment process.

Of course, none of that touches on the security of your server itself, which may be more problematic on shared hosting, but that would also be common across all self-hosted solutions and would be down to working with your server host and not Moodle specific.

Richard


Average of ratings: Useful (1)
In reply to Richard Oelmann

Re: Additional security measures for Moodle

by Matt Bury -
Picture of Plugin developers

Great advice as usual from Mary and Richard smile

Shared hosting brings with it a particular set of problems when running any web app, not just Moodle, that has to handle large numbers of user accounts. I've found that I need to "beef up" server specs and increase script time limits and memory limits quite substantially with sites that have more than 10,000 registered users, even if those accounts are dormant. These kinds of settings are often set on the shared server and cannot be changed for individual shared hosting accounts. If you ask for them to be increased, they'll usually try to "upsell" you to a VPS or dedicated server account. Either way, if your Moodle database gets jammed up and unresponsive with spam posts in the forums and/or overwhelmed with bot-accounts, there isn't much you can do to rescue it unless you have sysAdmin type access to the server, which doesn't come with shared hosting accounts as far as I know.

If you absolutely have no other option than shared hosting, then keep regular backups of everything and run them manually in Moodle with maintenance mode on (to avoid disclosing sensitive server info) and error reporting on to make sure that the backups complete successfully; without error messaging on they can fail silently and you'd have no idea until you tried to restore the backed-up package.

Also, in my experience, even quite highly rated managed hosting services aren't very helpful or knowledgeable when your site has security issues. In my opinion, it's better to have a self-managed server and to get someone who knows what they're doing to help you out when you need it, e.g. hire a reputable sysAdmin, but then I'm happy to do much of the day-to-day server maintenance myself, e.g. installing updates, checking logs, and using 3rd party web services to check for malware, links to phishing sites, and unusual activity.

BTW, VPS/cloud hosting services are getting better and easier to manage month by month. It's worth looking around from time to time to see how much things have improved and whether it's become a viable option for you yet.

Average of ratings: -
In reply to John Rambo

Re: Additional security measures for Moodle

by John Rambo -

Hello all,

I am very grateful for all your suggestions and recommendations and have already implemented what we could.

I recognize the best hosting option is on VPS, and depending on how things go, it will come in some day.

Some Germany-based host told me they offer hosting for Moodle on shared hosting & have so far had no problems, also with regard to the type of database used (antilope), as opposed to what Moodle suggests (barracuda?).

May be, although this is a separate issue, someone knows if it comes to shift to VPS, with the option of Barracuda (?), if conversion of the DB to that is doable or one has to originally install Moodle with it right from the beginning?

Once again, many thanks & kind regards


Average of ratings: -
In reply to John Rambo

Re: Additional security measures for Moodle

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

It really depends on the host - I have heard of some that will not give you access to the code with shared hosting especially if they use a certain installer package.  Even on shared hosting, most of us recommend manually installing moodle.

Average of ratings: -
In reply to Emma Richardson

Re: Additional security measures for Moodle

by John Rambo -

Hi there

If with "Even on shared hosting, most of us recommend manually installing moodle." ... you do NOT mean doing that specifically on VPS, then I guess that's what I did. I downloaded Moodle from this site, uploaded it to the shared server & installed it myself. I never use the scripts, including for Moodle & other CMSs provided on some Cpanels for automatically installing with just a few clicks.

The client is otherwise satisfied with the installation as it seems to do all she needs, at least for now.

Very grateful for all info/tips provided by the community.

Kind regards

Average of ratings: -
In reply to John Rambo

Re: Additional security measures for Moodle

by Matt Bury -
Picture of Plugin developers

Hi John,

Re: databases, converting between barracuda and antelope is with MySQL. This guy gives a quick run-down of how it works: https://ttcshelbyville.wordpress.com/2015/04/19/mysql-antelope-and-barracuda-moodle/

I'm currently using a cloud/VPS service based in Germany that I'm very pleased with. I also have clients that are using the service. So far, everyone seems to be happy with it.

I hope this helps! smile

Average of ratings: -