Hi,
So from the Downloads page we can install a number of plugins to Moodle. I have a couple of questions on that.
1. Is there any verification done as to the code of these plugins and subsequent updates? What are the risks that someone posts a plugin/update containing malicious code?
2. Are there any checks done on these plugins to verify that the author does not include code/spyware that silently send user data or system information to some third party on the internet?
Thanks,
Thomas
Plugins are reviewed for security. However the plugins database does not come with a warranty or guarantee. Updates to plugins are not routinely checked.
For more information on the security part of the plugins review process, you can read https://docs.moodle.org/dev/Plugin_contribution_checklist#Security
Plugins go through the validation and approval process before they are visible on the plugins database. Regardless of how you install a plugin though - whether that’s through the Moodle interface, FTP upload, or GIT - you should always heed the considerations for production sites.
When you install a plugin via the Moodle interface, you will see a validation checklist.
If it’s a potential problem for you though, you can disable the installation and upgrade of plugins via the Moodle interface by adding this to your config.php file:
$CFG->disableupdateautodeploy = true;
