Moodle Web Security Protocol


March 30, 2018

Moodle (Modular Object-Oriented Dynamic Learning Environment) – one of the most dominant players in the field of eLearning industry. Moodle is an open source software package which offers internet-based courses. The source code is scripted in PHP language, a free web application for online learning.

The source codes of the software are available freely, so it is easier for the hackers to breach out the firewall. Speaking of the basic security aspects, it must have authenticity, access control, confidentiality, integrity, and availability.

In this article, we will list down the features of Moodle web security .


a) HTTPS Setting: By default, Moodle login page information are transmitted over the HTTP connections. HTTP connections are vulnerable due to Slowloris and Slow Post attacks, which makes the server wait for packets received, which causes the end of header sections and a hacker could snoop over the network connection and will reach out the access to your username and password. To forbid such a tragic consequence of using a non secure server, you may consider to look a step forward and deploy your Moodle website to work over the HTTPS connection on moodle web security. HTTPS is a secure communication protocol between the computer connection with server connections. HTTPS provides a secure communication line which encrypts the data transfer over the network, forbidding the hacker to breach out the firewall.


Allowing Moodle site to work over the SSL connections setting, all site data must be encrypted transmitted over an SSL connection setting. Moving from nonsecure http:// to a secure https:// connection, it requires the editing in the Moodle config.php and .htacess file which will redirect to https:// to load.


Step 1: Login to the control panel

Step 2: File manager> config.php>$CFG->wwwroot = ‘http://……..” changed to $CFG->wwwroot = ‘https://……..”

Step 3: .htaccess file > Force the https://redirect by placing the code

 RewriteEngine On​​ 

​​ RewriteCond %{SERVER_PORT} 80​​ 

​​ RewriteRule ^(.*)$$1 [R,L]

Step 4: Save the .htaccess file

b) IP setting: In Moodle v3.3, the site settings can be modified as per the administration to forbid any security attack. IP address and proxy settings are one of the protocols which allow or block an access to the site. Most often, robots and perpetrators exploit the Moodle website by frequently causing the machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the internet- DOS attack which compromises the website security. To prevent such consequences of your Moodle site, an IP Blocker feature is available in the Site Administration panel. School/University/Institution/Organization server IP can be set so that only users with correct authority can access the site. This permission gives the administrator to regulate the traffic.


Guide to block IP addresses in Moodle are as follows:

 Step 1: Log into Moodle Dashboard

 Step 2: Settings>Site administration > Security > IP blocker

 Step 3: List all the IP’s in the blocked IP box, on separate lines. IP ranges like  – can also be added. After entering all IP’s.

 Step 4: click Save changes

c) Antivirus for (Moodle Web Security): Moodle site do have access to file export and import, so admin must scan all the files uploads for viruses before accepted on the server. Moodle 3.3 does have the antivirus to achieve the virus scan. ClamAV antivirus software is installed on Moodle site to scan the uploaded files on the server.


Step by step guide for setting up ClamAV Antivirus for Moodle files upload

 Step 1: Log into Moodle Dashboard

 Step 2: Settings>Site administration > Security > Anti-Virus

 Step 3: On the Anti-virus page, enable ClamAV virus scan with the custom settings.

 Step 4: Click Save Changes

           Note: ClamAV path or directory should be set correctly, to ignore the error pop-up notifications.

d) Password Policy and Salting: Currently, all websites do have a policy for saving the password of users for quicker access. A user can setup the password complexity option like – minimum length of the password, alphanumeric characters, use of lowercase and uppercase characters, non-alphanumeric characters, to make a strong password for login. Error pop-up notification will come if the user does not meet the requirements for the password, indicating the nature of the problem with the entered password.

 Step 1: Log into Moodle Dashboard

 Step 2: Settings>Site administration > Security > Site policies

 Step 3: Check the box to determine the password complexity

 Step 4: Click Save Changes

MD5 hash codes are stored in the databases as user passwords, which can be easily derived from the original simple passwords by using online hash viewer tools. To prevent such kind of vulnerability, password salting is done to make your password more secure. Password salting can be processed by adding a random string of characters to passwords before their MD5 hash is calculated, which makes them harder to reverse.


To set a password salt, add the following line to your config.php file:

  $CFG->passwordsaltmain = ‘some long random string here with lots of characters’;

The random string of characters should be a mix of letters, numbers and other characters. The Moodle Salt Generator may be used to obtain a suitable long random string. A string length of at least 40 characters is recommended.

 For changing the password salt:

 Old password salt: passwordsaltmain

New password salt: passwordsaltalt1

 $CFG->passwordsaltalt1 = ‘old long random string’;

 $CFG->passwordsaltmain = ‘new long random string’;

e) Firewalls:

  • Security experts recommend a dual firewall with different hardware/software configurations.
  • Disabling unused services is often as effective as a firewall. Use netstat -a to review open network ports. Not a guarantee of protection
  • Allowed ports

 SSL: 80, 443

 Chats: 9111

 Remote admin: ssh 22, or RDP 3389

f) Miscellaneous recommendations

 For overall security, you might need to consider these recommendations:

  • Use the secure form setting
  • Always set a MySQL root user password
  • Turn off MySQL network access
  • Use SSL, httpslogin=yes
  • Do not enable the opentogoogle setting in Site policies.
  • Disable guest login.
  • Place enrolment keys on all courses or set Course Enrollable= No for all courses
  • Ensure the enrolment key hint is disabled in Settings>Site>Administration>Plugins>Enrolments>Self enrolment.

Overall, we have taken a glance at the security part of the Moodle web security which is basically meant for the site administrators who have the responsibility to fix your Moodle site in any catastrophic situation. For any more guidance, feel free to contact 3E Software Solution – experts in maintaining and securing Moodle websites.

You May Also Like…