Moodle stores grades, submissions, and personal student data at scale. Hardening should prioritize timely patching, plugin governance, and strict role/capability control.
Add these security headers to your Apache virtual host:
# Security headers
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none';"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Hide Apache version
ServerTokens Prod
ServerSignature Off
# Limit request sizes
LimitRequestBody 104857600 # 100MB
If using Nginx instead of Apache:
server {
# Security headers
add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options DENY always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none';" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Hide nginx version
server_tokens off;
# Limit request sizes
client_max_body_size 100M;
client_body_timeout 120s;
client_header_timeout 120s;
}
Set proper permissions for Moodle directories:
# Set ownership to web server user
sudo chown -R www-data:www-data /var/www/moodle
sudo chown -R www-data:www-data /var/moodledata
# Set appropriate permissions
sudo find /var/www/moodle -type f -exec chmod 644 {} \;
sudo find /var/www/moodle -type d -exec chmod 755 {} \;
sudo chmod -R 777 /var/moodledata # Data directory needs write access
sudo chmod 644 /var/www/moodle/config.php
sudo chown root:www-data /var/www/moodle/config.php
Enable and monitor Moodle logs:
# Monitor Moodle logs
sudo tail -f /var/moodledata/moodledata/*.log
# System logs
sudo journalctl -u apache2 -f
sudo tail -f /var/log/mysql/error.log
Configure log rotation to prevent disk space issues:
sudo nano /etc/logrotate.d/moodle
Add:
/var/moodledata/moodledata/*.log {
daily
missingok
rotate 52
compress
delaycompress
notifempty
create 640 www-data adm
postrotate
systemctl reload apache2 > /dev/null 2>&1 || true
endscript
}
Any questions?
Feel free to contact us. Find all contact information on our contact page.