How secure is Moodle?
Moodle platforms store a lot of data. From email addresses to messages, your platform will quickly build up plenty of information on the people who use it.
This isn’t a bad thing. In fact, a Moodle platform is expected to contain this information. But what is essential is that you have the correct security measures in place so that your platform’s data can’t be hacked or disrupted by malicious parties.
We work with educational institutions that hold sensitive information on students through to large organisations with platforms containing information on tens of thousands of users. And in each case, we take careful consideration to make sure their platforms are entirely secure.
In this article, we’ll explain the importance of security for your platform, the security features that Moodle already has, as well as some tips and tricks to make your platform as safe as possible.
01 When things go wrong
In 2017, a malicious ransomware attack called WannaCry was launched targeting computers that used Windows operating systems. One of the most publicised in memory, the ransomware affected up to 200,000 computers in over 150 computers worldwide.
Eventually, the response from Microsoft and security organisations brought the situation under control. Still, the damage had already been done for many organisations, costing billions of pounds.
After reviews of how this ransomware managed to cause so much damage, it was revealed that Microsoft had already released a security patch that worked against the attack. The computers that were affected hadn’t installed this latest patch.
Similarly, Moodle releases new versions of its platform bi-annually. For the most part, these updates introduce new features to your Moodle platform, but they also bring in the latest security features. As it stands, only Moodle versions 3.9.8 and above have the newest security certificate, so if your platform isn’t on that version, it’s time to upgrade.
02 The security features of Moodle
Moodle is designed to be secure.
From its early development through today, Moodle follows a strict development process called ‘security by design’. This means that any development or change that Moodle introduces has the platform’s security at its forefront. A full list of these security by design processes can be found here.
Moodle will never collect, use or monetise any data you store on your Moodle platform. Which alongside the various policy documents and data request tools accessible here means your platform will be fully GDPR compliant.
We’ve often spoken about the benefits of Moodle Plugins (such as H5P), and because they’re usually made by third party sources, we’re often asked how secure they are. Moodle requires all available plugins to implement a Privacy API to make sure they’re GDPR compliant.
Finally, Moodle deploys a proactive security testing and vulnerability disclosure program. Moodle collaborates with Bugcrowd, which allows global security researchers to test Moodle constantly. Beyond this, Moodle also has the benefit of its massive user base. At any one time there are millions of administrators and security experts monitoring any potential vulnerabilities and reporting them through the vulnerability disclosure program.
03 Moodle’s recommended top tips for security
Moodle also has recommendations you can implement to add an extra layer of safety. Here’s what you can do:
1.) Register your Moodle site – Doing this means you’ll be alerted immediately when new Moodle versions are released, allowing you to stay on top of the latest security features.
2.) Back-up your site regularly – You can make a save of your platform so that if any issues do occur, you can restore to a version before it happened.
3.) Follow the principle of ‘least privilege’ – A hierarchical structure meaning the few at the top, such as administrators, will have access to the most information. Whilst the many at the bottom, such as learners, have access to the least information. It’s also important to make sure that users only have access to the content which is relevant to them.
4.) Configure your site in line with Moodle’s recommendations – Moodle releases regular documentation describing how best to set up your platform. You can follow the Moodle security recommendations doc here and run a security overview report here.
5.) Report any issues – Use the security reporting forum to inform Moodle of any potential vulnerabilities you see. Once they’re brought to Moodle’s attention, they can be resolved ASAP.
Getting Started
We’ve handled Moodle installations for many organisations, making sure their platforms are as safe as possible. To speak to us about the security of your installation, get in touch here.
We also release a monthly newsletter covering content like this and everything you need to know surrounding the world of Moodle. Click the link below to subscribe.
Privacy Policy | Cookie Policy | Data Protection Policy | Equality, Diversity and Inclusion Policy
© 2023 Titus Learning LTD | Company Number 08799881 | VAT Number 1813 09027