Howard Miller

I'm not wanting to put words into your mouth, but "it hasn't happened so it never will" isn't great security policy.

An obvious one - go and delete the <?php line from your config.php file.

I don't want to be "that guy" but I know next to nothing about shared hosting. I've always had Moodle installs where you went out and bought at least two actual boxes you could point at, and had full control over messing up Apache yourself.

You should read some of the Wordpress discussions about that. I'm not sure I completely follow, but one aspect seems to be that you can potentially make a mistake that exposes your config settings. It's a whole lot less likely if that file isn't there in the first place.

Yes - but this brings us back to shared hosting where the user may not have the option to have the root of the Moodle code outside of the document root. Of course, it's less important for those sites. This is actually progress for the bigger "enterprise" sites for whom it's not a problem to set it up "properly"

The obvious candidate is dire NFS performance.

You say you have Redis running. Are you *sure* you have configured it properly in Moodle admin?