CL Complete LMS

Security hardening - find the holes, close them, prove it

An LMS holds grades, identities, payment data, sometimes safeguarding records. It's a target. Our cyber-security and network specialists run a structured assessment of your stack, prioritise what we find, and fix it - then hand back a written report you can show your board or auditor.

LMS platforms quietly accumulate risk - old plugins linger, admin roles drift, TLS configs go stale, backups land in places no-one audited. By the time something breaks it's not one thing, it's twelve small things at once.

Our security and network engineers walk the whole stack - application, server, database, network, identity, backup - find what's exposed, rank it by real impact, and close it. Then we re-test and write it up.

What's included

  • Authenticated application scan - Moodle™ / LMS code, plugins, themes
  • Server hardening review - OS, kernel, firewall, SSH, fail2ban, SELinux/AppArmor
  • Database hardening - privileges, network exposure, at-rest encryption, audit logging
  • TLS configuration - protocol versions, ciphers, HSTS, OCSP, certificate hygiene
  • Network segmentation - admin plane, app tier, DB tier, backup egress paths
  • Identity and access - admin role review, MFA, SSO, password policy, session lifetimes
  • Secrets and credentials - rotation, storage, exposure in config and backups
  • Patch posture - kernel, web server, PHP, MariaDB/PostgreSQL, OpenSSL
  • Backup integrity - encryption, off-site separation, restore-tested
  • Logging and detection - auth attempts, privilege escalations, file integrity
  • OWASP Top 10 review against your live LMS - auth, injection, XSS, SSRF, IDOR
  • Headers, CSP, CORS, cookie flags, anti-clickjacking, MIME sniffing
  • Plugin / theme supply-chain audit - what's installed, what's stale, what's risky
  • Written remediation report - every finding ranked Critical / High / Medium / Low
  • Re-test after remediation - proof the fix landed, not just that it shipped

Questions, answered.

Is this a penetration test?

It's broader. A pentest is one technique; we combine an authenticated application scan, infrastructure review, configuration audit and remediation work - plus a re-test to verify the fixes. Pure black-box pentests are available on request.

Will your scanning affect the live site?

Heavy probes run against a clone first. Live-site checks are passive or low-impact - we don't fuzz a production LMS during teaching hours. A short maintenance window is sometimes used for the final verification.

What do we get at the end?

A written report with every finding, evidence, severity, business impact and the fix that was applied. Suitable for sharing with your IT security team, board, insurer or auditor.

Do you fix what you find, or just report it?

Both. The fixed-price engagement includes remediation of all Critical and High findings, and a documented plan for Medium and Low. Items outside scope (e.g. a custom plugin you maintain) come with a written recommendation.