Initial steps

• Organise to take your site off-line temporarily until you know you've fixed everything.
• Find all available older database and file backups
• Backup php files, database and data files (Do not overwrite older backups.)
• Contact your hosting provider, if you have one.

Damage assessment

• Look for any modified or uploaded files on your web server.
• Check your server logs for any suspicious activity, such as failed login attempts, command history (especially as root), unknown user accounts, etc.

Recovery

• Find out when exactly was the site hacked.
• Restore last backup right before the incident.
• Download the latest stable version and upgrade your site.
• Change your passwords.

Dealing with spam

• Spam in profiles or forum posts does not mean your site was actually hacked.
• Use the Spam cleaner tool (Administration > Reports > Spam cleaner) regularly to find spam (Moodle 1.8.9 and 1.9.5 onwards).

Prevention

• Always keep your site up-to-date and use the latest stable version. It is very safe to go from 1.9.3 to 1.9.4+, for example, at any time. CVS is an easy way to do this.
• Regularly run the Security overview report (Administration > Reports > Security overview) (Moodle 1.8.9 and 1.9.4 onwards).

See also

• Security FAQ

Using Moodle forum discussions:

• Blank page appears when trying to edit or update a course.
• How to diagnose a Hacked Moodle Site?
• Security issue: source files hacked ("hackcheckstr")
• Have I been hacked? Strange happenings...
• Our site was hacked, delete the Moodle files, Fortunately we still have the database.