loader image

Moodle – Web Security Protocol


March 30, 2018

s S​​ your​​ 

Moodle: Web​​ Security​​ Protocol



Moodle​​ (Modular​​ Object-Oriented​​ Dynamic​​ Learning​​ Environment)​​ - one of the most dominant​​ players​​ in the field of eLearning industry. Moodle​​ is an open source software​​ package which offers internet-based courses.​​ The source​​ code is scripted in PHP language,​​ a​​ free​​ web application for online learning.

The source codes of the software are available freely, so it is​​ easier for the hackers to breach out the firewall.​​ Speaking​​ of​​ the​​ basic​​ security aspects, it must have authenticity, access control, confidentiality, integrity,​​ and​​ availability.

In this article, we will list down​​ the​​ security features of Moodle.

  • HTTPS Setting: By default, Moodle login page​​ information​​ are transmitted over the HTTP connections. HTTP connections are vulnerable due to Slowloris and Slow Post attacks, which makes the server wait for packets​​ received, which causes the end of header sections and​​ a​​ hacker​​ could snoop over the network connection and will reach out the access to your username and password. To forbid such a tragic consequence of using​​ a​​ non secure​​ server, you may consider​​ to look​​ a step​​ forward and deploy your Moodle website to work over the HTTPS connection.​​ HTTPS is a secure communication protocol between the computer connection with server connections. HTTPS provides a secure communication line which encrypts the data transfer over the network, forbidding the hacker to breach out the firewall.​​ ​​ 


Allowing Moodle site to work over the SSL connections setting, all site data must be encrypted transmitted over an SSL connection setting. Moving from​​ nonsecure​​ http:// to a secure https:// connection, it requires the editing in the Moodle config.php and .htacess file which will redirect to https:// to load.


Step 1: Login to the​​ control panel

Step 2:​​ File manager> config.php>$CFG->wwwroot =​​ ‘http://……..”​​ changed to $CFG->wwwroot =​​ ‘https://……..” ​​​​ 

Step 3:​​ .htaccess file​​ > Force the​​ https://redirect​​ by placing the code​​ 


 ​​​​ RewriteEngine On​​ 

​​ RewriteCond %{SERVER_PORT} 80​​ 

​​ RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]


​​ Step 4: Save the​​ .htaccess file


  • IP setting:​​ In Moodle v3.3, the site settings can be modified as per the​​ administration​​ to forbid any security attack. IP address and proxy settings are one of the​​ protocols​​ which​​ allow​​ or block an access to the site. Most​​ often, robots and perpetrators​​ exploit​​ the Moodle website by frequently causing the machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the internet-​​ DOS attack​​ which compromises the website security.​​ To prevent such consequences of your Moodle site, an​​ IP Blocker​​ feature is available in the Site Administration panel.​​ School/University/Institution/Organization server IP can be set so that only users with correct authority can access the site.​​ This permission gives the administrator to regulate the traffic.​​ 


Guide to block IP addresses in Moodle​​ are as follows: ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 


Step 1: Log into​​ Moodle Dashboard

Step 2:​​ Settings>Site administration >​​ Security > IP blocker

Step 3: List all the IP’s in the blocked IP box, on separate lines. IP ranges like​​ -​​ can also be added. After entering all IP’s.

Step 4: click​​ Save changes


  • Antivirus:​​ Moodle site do have​​ access​​ to​​ file export and import, so admin must scan all the files uploads for viruses before accepted on the server. Moodle 3.3​​ does​​ have the antivirus to achieve the virus scan. ClamAV antivirus software is installed on Moodle site to scan the uploaded files on​​ the​​ server.​​ 


Step by step guide for setting up ClamAV Antivirus for Moodle files upload


Step 1: Log into​​ Moodle Dashboard

Step 2:​​ Settings>Site administration > Security > Anti-Virus

Step 3:​​ On the Anti-virus page, enable ClamAV virus scan with the custom settings.​​ 

Step 4: Click​​ Save Changes


 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Note:​​ ClamAV path or directory should be set correctly, to ignore the error pop-up notifications.

  • Password Policy and Salting:​​ Currently, all website do have a policy for saving the password of users for quicker access. A user can setup the password complexity option like – minimum length of​​ the​​ password, alphanumeric characters, use of lowercase and uppercase characters, non-alphanumeric characters, to make a strong password for login.​​ Error pop-up notification will come if​​ the​​ user​​ does​​ not​​ meet​​ the requirements​​ for the password, indicating the nature of​​ the​​ problem​​ with the entered password.


Step 1: Log into​​ Moodle Dashboard

Step 2:​​ Settings>Site administration > Security > Site policies

Step 3: Check the box to determine the​​ password complexity​​ 

Step 4: Click​​ Save Changes​​ 


MD5 hash codes are stored in the databases as user passwords, which can be easily​​ derived​​ from​​ original​​ simple password by using online hash viewer tools. To prevent such kind​​ of vulnerability, password salting is done to make your password more secure. Password salting can be processed by adding a random string of characters to passwords before their MD5 hash is calculated, which makes them harder to reverse.


To set a password salt, add the following line to your config.php file:


$CFG->passwordsaltmain = 'some long random string here with lots of characters';


The random string of characters should be a mix of letters, numbers and other characters. The​​ Moodle Salt Generator​​ may be used to obtain a suitable long random string. A string length of at least 40 characters is recommended.


For changing the password salt:


Old password salt:​​ passwordsaltmain

New password salt: passwordsaltalt1​​ 


$CFG->passwordsaltalt1 = 'old long random string';

$CFG->passwordsaltmain = 'new long random string';


  • Firewalls


  • Security experts recommend a dual firewall​​ with different hardware/software configurations.​​ 

  • Disabling unused services is often as effective as a firewall.​​ Use​​ netstat​​ -a​​ to review open network ports.​​ Not a guarantee of protection

  • Allowed​​ ports​​ 


SSL: 80, 443

Chats: 9111

Remote admin: ssh 22, or​​ rdp​​ 3389


  • Miscellaneous recommendations


For an overall security, you might need to consider these recommendations:


  • Use the secure form setting

  • Always set a​​ MySQL​​ root user password

  • Turn off​​ MySQL​​ network access

  • Use SSL, httpslogin=yes

  • Do not enable the​​ opentogoogle​​ setting in Site policies.

  • Disable guest login.

  • Place enrolment keys on all courses or set Course Enrollable= No for all courses.

  • Ensure the enrolment key hint is disabled in​​ Settings>Site>Administration>Plugins>Enrolments>Self enrolment.

Overall,​​ we have taken a​​ glance​​ at​​ the security​​ part of the Moodle which is basically meant for the site administrators who have the responsibility to fix your Moodle site in any catastrophic situation.​​ For any more guidance, feel free to contact​​ 3E Software Solution​​ – experts in maintaining and securing Moodle websites.







 ​​ ​​​​ 


You May Also Like…