This is a very commonplace issue but obviously it generates a lot of pain. It is also a frequent topic (twice weekly?). The references given (eg to http://docs.moodle.org/en/Security) are not that reassuring or helpful to novice users (everyday folk who want to use the web to deliver learning rather than folk with a deeper interest in IT than merely the everyday "driving" of it).
I am concerned (who isn't?!) about my site being hacked, but I find it very hard to interpret/implement the guidance given here. For instance, in the documentation a seemingly simple recommendation (one of the few) is:
- Disable register globals
- This will help prevent against possible XSS problems in third-party scripts.
I feel most non-tekkies would prefer a zero risk installation configuration if that were possible. If altering such a configuration setting such that there would then be a risk I think they would like advice regarding the trade-off being made between function and the probability/severity of the risk. Some sort of risk-register (that word again!) would be great.
Following a post today here I've simply stopped uploads being performed! For me this is not an important element at present. For those out there for whom it is, it would appear than anyone ( who can register) can simply upload files that can rip your system apart see: http://moodle.org/mod/forum/discuss.php?d=63122&parent=284759
But surely I don't need to disable guest access too (a recommendation(?)) in Security? I want a one click access ability to demo the site to potential users. (Not being in a school environment where users can be "obliged" to use the web interface, I am faced with the massive reluctance of people generally to use web services. Requiring the slightest effort of them loses most people. I am working with a software-as-service web company and even they don't engage with web delivered services unless spoon-fed.)
The advice in the documentation here seems to veer between the "obvious" (update your installation, don't install questionable third-party apps etc) to the opaque and/or technical (see above or "Set the mysql root user password" etc).
So, in brief, I find the info provided here both worrying (hacking of Moodle sites is commonplace) and unclear (advice given in documentation is elementary or opaque).
I realise this whole enormous enterprise is sustained/created (?) by volunteers, but wouldn't it be possible to develop the Security page here so that the key advice can be presented in a heirarchy of risk and that can be drilled into for precise instructions? It would save a lot of worry and heartache . . . (and maybe even defeat the magaturks!)
p.s. wouldn't it be possible to incorparate one of those "read this" or "complete the equation" etc devices to stop automated registrations?