Security
Moodle developers take security very seriously. Moodle is widely used at universities, so you can be reassured that security is in place to protect courses, user accounts, and data, Like with all software, hackers get in, and developers set up patches. As you know, there's no such thing as complete security.
Moodle.org provides a list of basic recommendations to keep your site as secure as possible. The following list summarizes the recommendations:
- Carry out regular Moodle updates
- Make sure you disable Register
- Use strong passwords for admin and teachers
- Trust the users who get Teacher role privileges
You can find more information at http://docs.moodle.org/en/Security.
Check out the following sections to discover more about the settings that help you manage security and enable users to link to resources.
Site Policies
Site policies settings determine what users can access and see as well as who can enter your site. Click the Site Policies link to go over the default settings (which provide the required security), though you may want to enable others. Each setting has check box and a short description.
You can trust the defaults, which I highly recommend, and go through the page to see all the available settings when you're comfortable with Moodle.
HTTP Security
The HTTP Security page allows you to choose a number of security options, such as using HTTPS to encrypt user login details, enabling cookies, and using the required Flash version that is known not to pose a security risk as some versions have known security risks. I recommend using the default settings unless you have HTTPS on your server. For example, if you enable HTTPS for logins in Moodle and you don't have HTTPS set up on your server, you will lock yourself out of your site.
Module Security
Use the settings on the Module Security page, shown in Figure 13-23, to disable any activity for all user accounts other than the administrative account. For example, you can disable the Chat activity across the whole site or for specific courses. Notice each option is explained, and if you don't understand the implications, don't change the default settings until you investigate them thoroughly.
Figure 13-23: The Module Security settings page.
Notifications
You can set up Moodle to inform you if someone is trying to steal student or teacher logins. If you enable the Display Login Failures option, a link is added to the site front page after you log in, informing you of the number of failed logins. Click the link to access the login error page.
If you worry about logins failing, you can set up e-mail notification to inform you about failed attempts.
Anti-Virus
Moodle includes an antivirus feature you can enable. It's an open-source virus scanner called ClamAV, and you need to install it on your server first in order to enable the capabilities in this page. See www.clamav.net for further information. If you have antivirus running on your server, you don't need to worry about it and can leave the default settings.