Talk:Security recommendations

From MoodleDocs

I think we should suppress register_global advise because has non sense talk about a suppressed php from version 5.4+ (more than 5 years ago). I'm going to edit the article according to this.

--Joan Cervan (talk) 10:20, 18 January 2019 (UTC)


To tighten up permissions on Linux:

cd /var/ find moodledata/ -type d -exec chmod 700 {} \; find moodledata/ -type f -exec chmod 600 {} \; cd /var/www/html # or cd /var/www/ if moodle folder is one level lower find moodle/ -type d -exec chmod 755 {} \; find moodle/ -type f -exec chmod 644 {} \;


Correction : The RootkitRevealer-link are outdated, working links: english: http://technet.microsoft.com/en-en/sysinternals/bb897445.aspx german http://technet.microsoft.com/de-de/sysinternals/bb897445.aspx

Thanks Reto, I have amended the links accordingly. --Helen Foster (talk) 16:20, 6 January 2014 (WST)


Correction : Enrolment key hint is disabled by default in Moodle 2.2. The setting is found at Settings>Site Administration>Plugins>Enrolments>Self enrolment.

Thanks for the pointer, Jane :) --Mary Cooch 20:18, 22 April 2012 (WST)


de:Sicherheitsempfehlungen (Klaus Steitz 23:47, 27 April 2012 (WST))

Suggestion: Put a link to Register globals Docs page admin/environment/custom check/php check register globals

Request: Replace the link to the spanish translation for this page to the proper page es:Recomendaciones de Seguridad

Thanks. I checked and found that the Spanish link is correct. --Helen Foster (talk) 07:23, 16 December 2019 (UTC)

Bad link The section, "Most secure/paranoid file permissions", contains an example link, http://your.moodle.site/admin/phpinfo.php. This got converted to an actual link that takes one to someplace weird. Please remove the link and just leave the text. --Christopher King 2 (talk) 23:02, 15 December 2019 (UTC)

Thanks. I have removed the link as suggested. --Helen Foster (talk) 07:23, 16 December 2019 (UTC)

This document recommends to set the files in the moodledata directory to 600, but Moodle writes new files as 666 by default. There should be some mention on the page how to modify Moodle/PHP/Apache/etc to create new files/dirs with 600/700 perms, respectively.

Suggested edit

Hi there,

On the page it says regarding the Moodle code at the bottom:

"There is no need to grant write permission to the web service account/group on any of the files or subdirectories. The only drawback is that you will need to create the config.php by hand during the installation process, as Moodle will not be able to create it. But that should not be a big problem."

This is not entirely accurate as the webserver not having write access to the Moodle code will also prevent installing/updating/uninstalling plugins via the web interface.

Perhaps change to this?

"There is no need to grant write permission to the web service account/group on any of the files or subdirectories. The only drawbacks are that you will 1) need to create the config.php by hand during the installation process, as Moodle will not be able to create it; and 2) installing/updating/uninstalling plugins via the web interface will be disabled."