Mick Hawkins, Developer and Application Security Engineer at Moodle HQ
Security in Moodle is taken very seriously by our team, our open source community and our Certified Partners. Moodle’s development practices include security by design. This means that we embed a security mindset right from the start in all of our development to deliver a secure platform. As with any software, there are also some basic security precautions you can follow to help keep your own Moodle installation secure.
Today, we’ll look at some of the things you can do as a Moodle administrator to configure your site securely, and help keep your users and their data safe. If you have any specific questions about the tips raised here, or securing your Moodle site in general, we encourage you to seek advice via our Moodle Community Forums or to reach out to our experienced Certified Moodle Partners, who can help with all aspects of your Moodle installation.
Top tips to help keep your Moodle installation secure
1. Register your Moodle site so that you receive the list of all security fixes on the day they are released. Plus, we’ll also notify you when new releases are available.
2. Upgrade your Moodle site regularly to ensure it receives all of the latest security fixes. Minor versions are released every 2 months and include security fixes. We always recommend upgrading to the latest major release version so you have all of the newest Moodle features and doing so also helps to ensure the latest security updates are supported. Check our release documentation for a full list of Moodle versions that are currently receiving security updates.
3. Backup your site regularly. A good backup is a crucial part of securing any system! But you don’t have a good backup unless you are able to restore it, so remember to test your restoration procedures. Read more about Moodle site backups on Moodle Docs.
4. Configure your site securely following best practices
-
- Adhere to the documented Moodle security recommendations.
- Run the security overview report and address any issues.
- Review your site’s security settings (Site administration > Security), which include site-level settings and HTTP security.
5. Follow the principle of least privilege by only assigning certain capabilities and “trusted” roles (such as teacher, manager and site administrator) to users who absolutely need the privileges these roles allow. Check out Types of users to see a brief description of some of the privileges available to each Moodle role, and see more detailed information on the standard roles documentation.
6. Report any potential vulnerabilities. If you think you have discovered a security vulnerability in Moodle, let us know via our Security Reporting form so we’re able to investigate and address it if necessary. We follow a Responsible Disclosure Policy, so details of security submissions will not be published until they have been patched (and we ask anyone submitting issues to also follow this policy).
