Security and privacy

There are books/blogs etc. that discuss the topic ... much depends upon hosting, how hosted, what OS, etc. etc.   If one were to do a little research on data breaches one will probably see of the top 2 reasons, failure to fix or patch a major contributor.

What version of Moodle are you running?   Use at least a LTS version that is still getting security updates.   Keep Moodle up-to-date with point releases then - easy to do using Git installed moodle code.  Since Moodle is a bunch of PHP scripts, keep your PHP up to date.

When it comes to Moodle plugins, keep them up-to-date.

So keep your server OS fixed/patched #1.   Case in point, current concern all over the globe for Log4j vulnerability ... does your server currently use it?

By 'data' am assuming DB server and DB's contained therein.

Reduce 'attack surface' ... examples:

If running DB server on same host as moodle code, restrict the DB server to talk to localhost only.   IF running a dedicated server, consider using PHPMyAdmin only when needed ... otherwise, don't leave it available.

Don't run an FTP server.   There are other ways to transfer files.   Don't run a full blown mail server on same server as moodle ... example: Postfix on Linux configured for localhost only can send but won't receive mail.

Using ssh to server?   Use an un-assigned high port - not default 22.  Also consider restricting sshd to a specific IP address or IP range (your IP's when you access server).  Same thing for open sourced panels ... like Webmin.

Linux distro's usually have an announcements list related to security and updates to systems.   Sign up for which ever is yours.

Above are some things off top of my feeble brain!

'SoS', Ken

In addition to the great info Ken has provided above, you can also find some more details in an article I put together last year on top security tips for Moodle administrators, which covers some other related areas and has links to the key documentation to help you configure your Moodle instance securely.