Hacked site recovery

Revision as of 22:13, 26 October 2009 by Howard Miller (talk | contribs) (Prevention)

Jump to: navigation, search

Note: You are currently viewing documentation for Moodle 3.1. Up-to-date documentation for the latest stable version of Moodle is probably available here: Hacked site recovery.

Initial steps

  • Contact your hosting provider, if you have one.
  • Immediately put the site into Maintenance mode or better completely off-line until you know you've fixed everything.
  • Find all available older database and file backups
  • Backup php files, database and data files (Do not overwrite older backups.)
  • Make a list of all PHP software installed on the same server.
  • Note main Moodle version and the date of last update
  • Make a list of all contrib modules and custom modifications

Damage assessment

  • Find out when exactly was the site hacked.
  • Look for any modified or uploaded files on your web server - look for oldest file that does not belong in Moodle.
  • Check your server logs for any suspicious activity around that date or few hours before, such as strange page parameters, failed login attempts, command history (especially as root), unknown user accounts, etc.


Dealing with spam

  • Spam in profiles or forum posts does not mean your site was actually hacked.
  • Use the Spam cleaner tool (Administration > Reports > Spam cleaner) regularly to find spam (Moodle 1.8.9 and 1.9.5 onwards).


  • Always keep your site up-to-date and use the latest stable version. It is very safe to go from 1.9.3 to 1.9.4+ weekly build, for example, at any time. CVS is an easy way to do this.
  • Regularly run the Security overview report (Administration > Reports > Security overview) (Moodle 1.8.9 and 1.9.4 onwards).
  • Understand how to properly set permissions and file ownership to maximise security. If this is a mystery, you mustn't ignore it - read about it or ask in the forums!

See also

Using Moodle forum discussions: