on 27 February 2011
I have been asked on several occasions to tech review Packt Moodle books as they are being drafted. It's a privilege and I tend to say yes -usually because the topic is one I feel is in my area - pedagogically- so I can be of assistance to the author. Sometimes however, I am asked to review a book in a different field from my own. As long as I know the other reviewer is a technical expert I am happy to continue, restricting my comments to style, layout and readability. Such was it with Moodle Security. Before I read the book I only knew the bare minimum a Moodle admin needs to know so I almost turned down the offer of reviewing it. On Packt's assurance that their other reviewer was highly knowledgeable about security issues (so nobody can blame me if they get hacked!!), I agreed to read it and am very glad I did so. I found it enlightening and invaluable.
Written by Moodler Darko Miletic, it takes you through, chapter by chapter, the steps you need to ensure your Moodle is secure from initial installation to site backup -with user and file management in between. Moodlers are well aware that alongside all the great publicity this Open Source LMS/VLE generates, it has had a bad press in the past because of quite large security loopholes. Some have argued this has been the fault of inadequately trained admins -who've left the user profiles open to Google or put their moodledata folder (the one with all the "stuff") in an easily accessible directory because they didn't read the warnings. Others have made the point that Moodle should not allow such mistakes to be made in the first place -particularly as Moodle admins might not always be your techie types, but a regular teacher like me just doing the job for their school. So a book like this must be a welcome addition to any Moodle admin. The first couple of chapters deal with securing your Linux or Windows server. However, even if you don't host Moodle yourself, it is worth reading on because Darko then talks about authentication and roles and permissions. Vital if you want to avoid such dangerous pitfalls as - allowing email based self authentication with no Captcha! or email restrictions (spammers' paradise) or - setting permissions wrongly and allowing someone to create an account and subsequently edit your front page (as I was able to do on a local Moodle a couple of years ago) You can read Chapter 4 on authentication here - as a free taster. The book is based on Moodle 1.9 although much of it is still relevant to Moodle 2.0 However, some of the potential security problems with Moodle (such as site wide roles) have been addressed in Moodle 2.0. Chapter 6 handles protection against bots while Chapter 7 deals with securing user files. Moodle 2.0 handles files differently from 1.9 (subject of much controversy!) so some of this will currently not apply - but many users will remain with Moodle 1.9 for a year or so yet, so the information remains valuable. Chapter 9 deals with protecting user and course information, leading up to monitoring user activity in Chapter 10.
Despite being a non-technical Moodle admin I found the book easy to digest and I learned a lot about keeping Moodles secure. If you are a Moodle administrator responsible for a large number of users (or even a small primary school!) it would be well worth investing in Moodle Security, if only so you don't wake up one morning to find the Russian Federation have taken over your site...
on 9 May 2011
The book covers all aspects of Moodle 1.9 Security and explains concepts in a clear and well-written style.
It is good to see that the security of underlying components, that is, operating system (Linux and Windows), database, web server and PHP are covered in detail, as this is where a lot of setups fall short of taking precautions. The author then walks you through all the key aspects of Moodle where "something can go wrong" in terms of security. This covers subjects like authentication, roles, permissions, files, etc. An entire chapter has been dedicated to protection against bots, monitoring user activity, and backups, respectively. The book concludes with an appendix that provides some details on authentication plugins used less common, for instance, LDAP.
All in all a well-written book on Moodle 1.9 security that doesn't shy away touching on system-related topics.