7 min read

Moodle Security

Moodle Security

Learn how to install and configure Moodle in the most secure way possible

User information protection

Every user within Moodle has a profile which can contain information we may or may not want to show to other users, or at least not to all of them. The level of exposure will depend on the privacy policy we want to adopt. For example, we may want to completely isolate users within a course so that nobody knows who else is participating, or we may want to expose just the user names and nothing else, and so on. Let us first describe how Moodle handles presentation of user profiles. This is important as it will expose internal workings of that subsystem and identify all access points and ways of disabling them if that is what we want to do.

User profile page

User profile page is used to define personal information about a user within a Moodle. It can contain name, surname, address, telephone, etc. The user profile page is reached by /user/view. php?id=&course= where userid and courseid are identifiers of user and course as they are stored in database. This is how Moodle determines whether to show or not the profile page for a particular user:



Logged-on user

User to see


Show profile


Other user

Other user is teacher in at least one course




User is teacher in at least one course





User has View user profiles capability enabled in current context




None of the above






When we say teacher we refer to the Moodle roles Teacher and Non-editing teacher.

Reaching profile page

There are several ways a user can reach the profile page for a particular user. We are presenting them here in order to help the administrator to block potentially unwanted access points to user information.

People block

Every course upon creation gets a set of predefined blocks. One of these blocks is the people block. When present and visible it gives every user an opportunity to browse all users participating in the current course.

Securing Moodle Data

This block is visible to any user that has the View participants capability enabled. This capability exists for system and course level. In Moodle 1.9.8 and later, by default this capability is enabled only for the Administrator role on both levels. That way no user other than Administrator will be able to see participants on the system level or in specific course.

If by any chance you use an older version of Moodle, then most likely you have this capability enabled on the course level for all standard roles except for guest and authenticated user. Unless you want to open privacy policy on your site we recommend you to disable this capability.

Visit the Administration Users | Permissions | Define roles| page, then locate and modify that capability by setting it to “Not set”. Apply this at least on the Student role.

Securing Moodle Data

Forum topics

Forum topic offers another way of accessing the user profile. Regardless of the forum type, Moodle displays the author name for every post. This name is actually linked to the profile page for that user.

Securing Moodle Data

Messaging system

Moodle offers a messaging system for internal communications between users. The Messaging system can be accessed from three locations—personal profile page, platform front page, and course content page.


Moodle page



Profile page

Send message to any user capability is enabled


Front page

Message block is added by Administrator


Course content page

Message block is added to the course by Administrator or teacher


If any of these conditions are fulfilled users will be able to access the messaging system. By default none of these conditions are present for Students and therefore there is no danger of any privacy intrusion. However, it is a common practice in various installations of Moodle to add a messaging block to one or more courses. Any user will be able to communicate with other users within same context (course). The problem with messaging is that it enables any user to locate any other user registered in the platform. We can demonstrate this easily. Open the messaging dialog and switch to the Search tab. In the Name field enter one letter and press the Search button. You will get ALL user accounts that have the specified letter either in name or surname as a result.

Securing Moodle Data

The search result apart from the actual names of the users also offers a direct link to their personal profile.

Securing Moodle Data

This is a potentially dangerous feature that can expose more information than we are willing to permit. If messaging is called from a context in which the users have permission to view user profiles he will be able to see any profile in the system. This way user names and profiles are completely open. There is no way to modify this behavior (listing all users) other than disabling the messaging system. Having a messaging system enabled can be a problem if you have a malicious user within your system that wants to get names of all users or a spam-bot that wishes to harvest e-mail addresses. That is the reason we should do something about that.

Protecting user profile information

We have several options available for protecting access to private information located in personal user profile. You can choose one that is most appropriate for your particular use case.

Limit information exposed to all users

If we do not have a problem exposing some information of the user in their profile then we can then just hide some fields. To do that visit the Administration Users | Permissions | User policies| page and locate the Hide user fields section.

Securing Moodle Data

Using this approach you still cannot hide the user e-mail or his actual name which is good for cases where you want users to communicate with each other without knowing too many personal details.

Completely block ability to view profiles

If you want to completely block access to the user’s profiles you have several options explained as follows:

Disable View participants capability

We already explained that by default every Moodle as of version 1.9.8 has this disabled by default. We are listing it here just for the sake of being complete.

Hide messaging system

Hiding messaging system means removing access points from user’s reach. This means do not add Messages block on the front page and in any course where you wish to avoid users from knowing the other participants. This is useful where you want to have mixed messaging policy for different courses—set of users. Have in mind that this setup gives sort of a false sense of separation. Users from courses which do not have Messages block can still access Messaging system if they type the URL by hand.

Disable Messaging system

If you do not care for Messaging in your Moodle site you can completely disable it. To do that visit the Administration Security | Site policies| page and uncheck Enable messaging system option.

Not using general forums

If you have a website where you want to completely isolate only part of users within a course, among other things you can adopt the policy of not adding general forums inside such courses and on the site front page. That way you can still use forums in other courses where you do not have security concerns.

Disable View user profiles capability

If you want to completely block any possibility of viewing user profiles for specific role(s) you need to modify the View user profile capability and set it to “Not set”. Visit the Administration Users | Permissions | Define roles| page, locate and modify that capability for every role you wish to prevent from viewing user profiles.

Securing Moodle Data

Subscribe to the weekly Packt Hub newsletter

* indicates required


Please enter your comment!
Please enter your name here