Welcome to Moodle at Ricoshae! Today, we’re diving into Moodle Admin Hint #9: checking your Moodle security report. This often-overlooked feature is an incredibly useful tool for safeguarding your Moodle instance. Let’s walk through the report together, understand what it’s telling us, and identify actionable steps to bolster your Moodle’s security.
Accessing the Security Overview
First things first, you’ll need to log in to Moodle as an administrator. Once logged in, navigate to Site Administration, then select Reports, and finally scroll down to Security Overview.
The security overview can be quite technical, so we’ll focus on the key areas that are most relevant for improving your Moodle’s security posture.
Key Areas of the Security Report
Insecure Data Root
This section assesses the security permissions of the directory where Moodle stores user-uploaded and saved data. Ideally, this should show as secure, indicating that the server has the correct permissions in place to protect this sensitive information. If it’s green, you’re good to go!
Display of PHP Errors
If you see a warning here, it means your PHP settings are configured to display error warnings. While useful for development servers, it’s generally advised to turn this off on production servers. This setting is usually managed in your server’s PHP configuration or within the Moodle config.php file. If you’re unsure, consult your server manager to disable “display PHP errors.”
Vendor Directory and Node.js Modules Directory
These directories are typically associated with Moodle development environments and should ideally not be present on public-facing production sites. Their presence can indicate that your Moodle is still configured as a development version. If flagged, you’ll want to ensure your Moodle installation is properly configured for a production environment.
No Authentication Plugin is Disabled
This is a critical security check. You want all users to authenticate before accessing your Moodle content. Ensure this section shows “OK,” confirming that open access to your content is not enabled.
Allow Embed and Object
Moodle restricts the direct embedding of arbitrary objects (using <embed> and <object> tags) within content due to potential security risks. It’s generally good practice for this to be restricted, so “embedding objects is not allowed” is a positive sign.
Flash Media Filter is Enabled (CRITICAL)
This is a major security vulnerability. Flash, once popular for interactive content, is now considered a significant security risk. If the Flash media filter is enabled, you must disable it.
To do this, navigate to Site Administration > Plugins > Media players > Manage media players. You’ll see “Flash animation video (.swf)” listed. Simply click the eye icon next to it to disable it. After disabling, return to your security report and reload the page to confirm the issue is resolved.
Login is Required Before Viewing Users’ Profiles
This ensures that user profiles are only accessible to logged-in users, protecting user privacy. This should be “OK.”
Search Engine Access
By default, Moodle should not allow search engines like Google to index your entire site. This helps protect your content from public discovery. Ensure this is “not enabled by default.”
Password Policy
Having a strong password policy enabled is crucial for user account security. This should be “enabled” and green.
Email Change Confirmation
Confirmation of email address changes in user profiles is important to prevent unauthorized modifications. This should be “on.”
Writable Config.php
Your config.php file should not be writable by scripts. This is a significant security risk as it could allow unauthorized modifications to your Moodle configuration. Contact your server manager to ensure the permissions on your config.php file are set correctly to prevent script modification.
Cross-Site Scripting (XSS) Trusted Users
Moodle allows certain trusted users (e.g., administrators) to perform actions that could otherwise be considered XSS risks, such as adding JavaScript. While necessary for some functionalities, it’s vital to review these trusted users and ensure they are indeed individuals you fully trust with such elevated privileges.
Administrators
Regularly check how many administrators you have and who they are. While the report might show “one server administrator” as fine, it’s good practice to ensure the number of administrators is kept to a minimum and that all administrative accounts are active and necessary.
Backup of User Data
This section identifies roles and users with the ability to back up user data. Verify that only authorized individuals have this capability to maintain data integrity and privacy.
Default Role for All Users & Guest Role & Front Page Role
These ensure that essential roles are configured correctly within your Moodle instance. These should typically be green.
Cron Access
The Cron runs essential background tasks for Moodle. It’s crucial that anonymous users cannot access the Cron. Ensure that only authorized personnel can trigger Cron tasks.
Executable Paths
Moodle allows executable paths to be set via the admin interface. For enhanced security, it is highly advisable to disable the ability to modify executable paths from the admin GUI through a config option on your server. While trusting your administrators is important, this extra layer of security prevents unintended or malicious changes to these critical paths. Consult your server manager for details on how to implement this.
Conclusion
The Moodle security report is an invaluable tool for any Moodle administrator. By regularly reviewing this report and addressing any flagged issues, you can significantly enhance the security of your Moodle learning management system. Aim to have as many items as possible showing as “green,” indicating a secure configuration.
If you’re not an administrator, share this information with your Moodle admin and encourage them to conduct regular security report checks.
For more Moodle administration insights, including clearing cache, running Cron, setting tasks, debugging, reading log files, editing config, automated backups, performance overviews, and ad-hoc database queries, be sure to explore our other Moodle admin hint videos.