You can find security settings under

Site administration → Security

IP Blocker: Limiting Access to Specific Location

This page enables you to block and allow users from specific IP addresses. If you want to limit access to your Moodle to only the users who are on campus, this is especially useful.

Site Policies

The site policies page contains a variety of security settings that you can set.

Protect usernames

If you forget your password, Moodle can display a page that enables you to retrieve it. If you enter your username or e-mail address, Moodle will send an e-mail with your login information.

When Moodle sends this e-mail, it confirms the sending but does not display the e-mail address to which the message was sent. The e-mail address is hidden to protect the user's privacy.

If someone could guess the usernames (which is often the case in large institutions), they could enter them into the lost password page and harvest e-mail addresses for abuse.

Force users to log in

Setting this to Yes causes the front page to become hidden until a visitor logs in to Moodle. When visitors first hit your Moodle site, they see the Moodle login page. Setting this to Yes means that you cannot use Moodle's front page as an information and sales tool. You can customize the text on the login page, but you won't be able to add all the features available on the front page.

Force users to login for profiles

Setting this to No enables anonymous visitors to read, not only teacher profiles, but also the profiles of any students enrolled in courses that have guest access. This may be a privacy issue.

The effect of enabling Force users to login for profiles is that anonymous visitors cannot read the profiles for the teachers in a course that accepts guest access. They must register as a student before being able to read student and user profiles.

Open to Google

This setting lets the Google indexing robot into courses that allow guest access.

Maximum uploaded file size

This setting affects students, teachers, and course creators. If you're creating a course that has a large file, such as a video, and Moodle forbids you from uploading the file,
this setting might be the cause.

There are three other settings that limit the size of a file that can be uploaded to your server. The first two are PHP settings and the third is an Apache setting.

Allow Embed and Object tags

By default, you cannot embed a Flash or any other media file in a Moodle page. Instead, media files are automatically embedded and played in Moodle's built-in media player.

However, many course developers do not like to use Moodle's built-in media player. Instead, they prefer that their media plays on the course page, in the player designed for that media. One example of this is embedding a YouTube video in a web page.

HTTP security

The HTTP security page has several options that you can use to further secure your site.

Use HTTPS for logins

If you enable this setting, but your server doesn't have HTTPS enabled for your site, you will be locked out of your site. Moodle will require you to use HTTPS when you log in, but you won't be able to comply.