7 min read

Moodle Security

Moodle is an open source CMS (Course Management System)/LMS (Learning Management System)/VLE (Virtual Learning Environment). Its primary purpose is to enable educational institutions and individuals to create and publish learning content in a coherent and pedagogically valuable manner, so that it can be used for successful knowledge transfer towards students.

That sounds harmless enough. Why would anybody want to illegally access an educational platform?

There are various motives of computer criminals. In general, they are people committed to the circumvention of computer security. This primarily concerns unauthorized remote computer break-ins via a communication network such as the Internet. Some of the motives could be:

  • Financial: Stealing user and/or course information and selling it to other third-parties
  • Personal: Personal grudge, infantile display of power, desire to alter assigned grades, and so on

Weak points

Moodle is a web application and as such must be hosted on a computer connected to some kind of network (private or public—Internet / Intranet). This computer must have the following components:

  • Operating System (OS)
  • Web server
  • PHP
  • Database server
  • Moodle

Each of these pieces can be used as a point of attack by a malicious user(s) in order to obtain access to the protected information. Therefore, it is our task to make all of them as secure as possible. The main focus will be directed towards our Moodle and PHP configuration.

The secure installation of Moodle

In this section we follow a secure installation of Moodle. In case you do not already have an installed instance of Moodle, we will show you the quickest way to do that, and at the same time focus on security. If you already have Moodle installed, go to the following section where you will see how to secure an existing installation of Moodle

Starting from scratch

In order to install Moodle on your server you need to install and configure the web server with support for PHP and the database server. We will not go into the specifics of setting up a particular web server, PHP, and/or database server right now, since it depends on the OS your server has installed. Also we will not explain in detail tasks like creating directories, setting up file permissions, etc as they are OS specific and out of the scope of this article. This section assumes you already know about your OS and have already configured your web server with an empty database. Every installation of Moodle must have:

  • Web server with PHP support
  • Dedicated database
  • Two dedicated directories—one for Moodle and another for platform data

We assume that your web server is Apache ( Linux) or IIS (Windows), and that you use PHP 5.1.x or later and MySQL 5.0 or later.

Installation checklist

The following checklist will guide you through the basic installation procedure for Moodle.

  1. Download the latest stable version of Moodle from http://download. moodle.org/. (At the time of writing this article it is 1.9.8+). You have two options available on the download page—moodle-weekly-19.tgz or moodle-weekly-19.zip archive. In case you use Linux you can choose either. In case of Windows, ZIP file is the preferred choice. The reason for this is simple. Every Windows server comes, by default, with installed support for managing Zip archives. On the other hand, TGZ is readily available on every Linux distribution.

  2. Unpack the compressed file you just downloaded. This will produce a directory with the name moodle which contains all of the platform files. Move that directory to the web-root of your web server. After doing that it is recommended to make all files read-only for safety reasons.
  3. Create a directory called moodledata somewhere on the disk. Make sure that it is not in the web-root of your web server since that would incur a serious security breach. Doing that might expose all platform files submitted by course participants and teachers together with the course content to the outside world.
  4. Create an empty database (we suggest the name moodle or moodledb). The default database character set must be configured to utf8 and collation set to utf8_general_ci. It is recommended to have a special user for accessing this database with limited permissions. In case of credentials theft, a malicious user could only operate on data from one database, minimizing the potential damage. That database user account will need permissions for creating, altering, and deleting the tables, creating/dropping the indexes and reading/writing the data. Here is what you need to execute in your MySQL console for creating a database and user:

    CREATE DATABASE moodle CHARSET ‘utf8’ COLLATION ‘utf8_general_
    CREATE USER ‘moodle’@’localhost’ IDENTIFIED BY ‘somepass’;
    ON loomdb.* TO loom@localhost IDENTIFIED BY ‘somepass’;

  5. Start the installation by opening the http://url to local installation of the moodle (for example http://localhost/moodle) in your browser. Make sure it is a more recent browser with pop ups and JavaScript enabled. We recommend Internet Explorer 8+ or Firefox 3.6+. You will see the following screenshot.

  6. On the next screen, we need to specify the web address of the platform and the location of the moodle directory on the disk.

  7. Now, we must configure database access. Choose MySQL as database type, localhost as host server, set the name of the database (moodle), database user, and its password (moodle/moodle). You should leave the table prefix as is.

  8. Moodle checks the server configuration on this screen and displays the outcome. We can proceed with the installation only if all of the minimal requirements are met.

  9. During installation, Moodle generates a configuration file within the moodle directory called config.php. It is important to make this file read-only after installation for security reasons. In case Moodle cannot save config.php it will offer to download or copy content of the file and manually place it in the appropriate location on the server. See the following screenshot:

  10. We are now presented with terms of usage and license agreement. To proceed click yes.
  11. We can now start the installation itself. During that process Moodle will create all of the tables in the database, session files in the moodledata directory, and load some initial information. Make sure you check Unattended operation at the bottom. That way, the process will be executed without user intervention.

  12. After the database setup is finished, we are offered a new screen where we must configure the administrative account. With this user you manage your platform, so be careful about disclosing this information to other users.

    Field name


    Recommended action


    Defines user name inside the Moodle. By default it is admin.

    We recommend leaving the default value unchanged.

    New password

    Defines user logon password.

    Must supply valid password.

    First name

    Defines name of the admin.

    Must supply valid name.


    Defines surname of the admin.

    Must supply valid name.

    E-mail address

    Defines user e-mail address.

    Must supply valid e-mail.

    E-mail display

    Define the visibility of your e-mail address within the platform.

    We recommend leaving it as is (visible to all).

    E-mail active

    Defines whether e-mail is activated or not.

    Set it to enable.


    Defines name of the city where you live.

    Moodle requires this value.

    Select Country

    Name of your country.

    Set it to your country name.


    Sets your time zone so that server can display time calculated for your location in some reports.

    If not sure what your time zone is, leave it as is.


    Preferred language

    Choose the platform language.

    By default, Moodle comes only with support for English language. If you want to add more languages visit http://download.moodle.org/ lang16/ and download and install the appropriate files.


  13. After configuring administrative user there is just one more step to complete and that is setting up the site title and short name. In the Full site name field, place the long name you would like to set for your website; it can have multiple words. In the Short name for the site field put one word without spaces which will represent your website. In the Front Page Description field put a longer description (one paragraph) that explains in more detail the purpose of your site. This is optional and does not affect the Moodle functionality at all

  14. You have now finished installing Moodle and should see the following screenshot:

Subscribe to the weekly Packt Hub newsletter. We'll send you this year's Skill Up Developer Skills Report.

* indicates required


Please enter your comment!
Please enter your name here