To minimize spam and other security threats, it’s recommended to keep Moodle 3 updated with the latest patches and software enhancements. An integrated report is available for review at Site administration > Reports > Security overview, which provides an assessment of site security, alongside steps you can take to further protect your site.
Enable critical security settings
Moodle’s developers also recommend enabling the following measures to reduce your security risk:
- Ensure that register_globals is disabled in your PHP settings (this is the default setting).
- Keep Force users to login for profiles enabled in Site administration > Security > Site policies to prevent anonymous visitors and search engines from seeing user profiles.
- Keep Profiles for enrolled users only enabled in Site administration > Security > Site policies. This will prevent affected profiles from being visible even to other users on the site.
Where possible, keep Moodle’s self-registration feature disabled and add accounts manually through the administration dashboard. You can manage registration settings at Site administration > Plugins > Authentication > Manage authentication.
If you need to enable self-registration, there are safeguards you can take to reduce threats.
- Enable RECAPTCHA features for account sign up forms by obtaining security keys and entering them in the authentication settings form at Site administration > Plugins > Authentication > Manage authentication. Once keys are entered and validated, you’ll be able to enable the RECAPTCHA feature, preventing bots from registering accounts on your site.
- Limit self-registration to specific email domains, again using Manage authentication settings.
- Enable self-registration for a short “sign-up” period, then disable the setting.
- Ensure that the Email change confirmation setting is enabled in Site administration > Security > Site policies, which requires users to manually confirm changes to registered email addresses.If you’re able to trace security issues to specific IP addresses, or blocks, take advantage of Moodle’s IP address blocking features at Site admin > Security > IP Blocker > Blocked IP List.
Clean up user profile spam
If you experience issues with rogue profiles being registered on your Moodle site, you can identify misbehaving accounts at Site administration > Reports > Spam cleaner.
The feature allows you to search all user profiles for certain spam-related terms and then delete those accounts.
If you notice any problems or if you need any help, please open a new support ticket from your HostPapa Dashboard. More details on how to open a support ticket can be found here.