WordPress Security
WordPress Security for Learning Management Systems: Protecting Student Data
Secure your WordPress LMS platform with strategies to protect student data, course content, payment information, and assessment integrity.
S
Sarah Chen
9 min read
1,967 views
Learning Management Systems handle sensitive educational data including student records, payment information, and course content. Protecting this data requires comprehensive security measures tailored to e-learning platforms.
LMS Security Challenges
E-learning platforms face unique threats:
- Student data exposure and FERPA violations
- Course content piracy and sharing
- Assessment cheating and integrity issues
- Payment fraud on course purchases
- Account sharing between students
Protected Data Categories
LMS platforms typically store:
- Student personal information and grades
- Course materials and intellectual property
- Assessment questions and answers
- Payment and financial records
- Progress tracking and completion data
Protecting Student Records
Implement strict access controls for student data:
function get_student_record($student_id, $requesting_user) {
// Check if requester has permission
$can_view = false;
// Students can view their own records
if ($requesting_user === $student_id) {
$can_view = true;
}
// Instructors can view enrolled students
if (user_is_instructor($requesting_user)) {
$courses = get_instructor_courses($requesting_user);
foreach ($courses as $course) {
if (student_enrolled_in_course($student_id, $course->ID)) {
$can_view = true;
break;
}
}
}
// Admins can view all
if (current_user_can('manage_options')) {
$can_view = true;
}
if (!$can_view) {
return new WP_Error('unauthorized', 'Cannot access student records');
}
// Log access
log_record_access($student_id, $requesting_user);
return get_student_data($student_id);
}Course Content Protection
Prevent unauthorized access to course materials:
function serve_course_content($content_id) {
$content = get_post($content_id);
if (!$content || $content->post_type !== 'lesson') {
wp_die('Content not found', 404);
}
$course_id = get_post_meta($content_id, '_course_id', true);
$user_id = get_current_user_id();
// Check enrollment
if (!is_enrolled($user_id, $course_id) && !current_user_can('manage_options')) {
wp_die('You must be enrolled to access this content', 403);
}
// Check if content is dripped
$drip_date = get_post_meta($content_id, '_drip_date', true);
if ($drip_date && strtotime($drip_date) > time()) {
wp_die('This content is not yet available', 403);
}
// Track progress
mark_content_viewed($user_id, $content_id);
return $content;
}
// Protect downloadable resources
function serve_course_resource($resource_id) {
$resource = get_resource($resource_id);
$course_id = $resource['course_id'];
if (!is_enrolled(get_current_user_id(), $course_id)) {
wp_die('Access denied');
}
// Serve file with no-cache headers
header('Content-Type: ' . $resource['mime_type']);
header('Content-Disposition: attachment; filename="' . $resource['filename'] . '"');
header('Cache-Control: no-store, no-cache, must-revalidate');
readfile($resource['file_path']);
exit;
}Assessment Integrity
Protect quiz and exam integrity:
function start_assessment($assessment_id, $user_id) {
// Check if already in progress
$existing = get_assessment_attempt($assessment_id, $user_id, 'in_progress');
if ($existing) {
return $existing;
}
// Check attempt limits
$max_attempts = get_post_meta($assessment_id, '_max_attempts', true) ?: 1;
$completed = count_completed_attempts($assessment_id, $user_id);
if ($completed >= $max_attempts) {
return new WP_Error('attempts_exceeded', 'Maximum attempts reached');
}
// Create attempt record
$attempt = create_assessment_attempt(array(
'assessment_id' => $assessment_id,
'user_id' => $user_id,
'started_at' => current_time('mysql'),
'ip_address' => $_SERVER['REMOTE_ADDR'],
'user_agent' => $_SERVER['HTTP_USER_AGENT'],
));
// Randomize questions if enabled
$questions = get_assessment_questions($assessment_id);
if (get_post_meta($assessment_id, '_randomize', true)) {
shuffle($questions);
}
// Store question order for this attempt
update_attempt_meta($attempt['id'], 'question_order', array_column($questions, 'id'));
return $attempt;
}
function submit_assessment($attempt_id, $answers) {
$attempt = get_attempt($attempt_id);
if (!$attempt || $attempt['user_id'] !== get_current_user_id()) {
return new WP_Error('invalid_attempt', 'Invalid assessment attempt');
}
if ($attempt['status'] !== 'in_progress') {
return new WP_Error('already_submitted', 'Assessment already submitted');
}
// Check time limit
$time_limit = get_post_meta($attempt['assessment_id'], '_time_limit', true);
if ($time_limit) {
$elapsed = time() - strtotime($attempt['started_at']);
if ($elapsed > ($time_limit * 60) + 60) { // 1 minute grace period
return new WP_Error('time_expired', 'Time limit exceeded');
}
}
// Grade assessment
$score = grade_assessment($attempt['assessment_id'], $answers);
// Update attempt
update_attempt(array(
'id' => $attempt_id,
'status' => 'completed',
'completed_at' => current_time('mysql'),
'score' => $score,
'answers' => maybe_serialize($answers),
));
return array('score' => $score);
}Preventing Account Sharing
Detect and prevent credential sharing:
add_action('wp_login', function($username, $user) {
// Track active sessions
$sessions = WP_Session_Tokens::get_instance($user->ID);
$all_sessions = $sessions->get_all();
// Check concurrent session limit
$max_sessions = get_option('lms_max_concurrent_sessions', 2);
if (count($all_sessions) >= $max_sessions) {
// Destroy oldest session
$oldest_token = null;
$oldest_time = PHP_INT_MAX;
foreach ($all_sessions as $token => $session) {
if ($session['login'] < $oldest_time) {
$oldest_time = $session['login'];
$oldest_token = $token;
}
}
if ($oldest_token) {
$sessions->destroy($oldest_token);
}
}
// Check for suspicious login patterns
$recent_logins = get_user_login_history($user->ID, '-1 hour');
$unique_ips = array_unique(array_column($recent_logins, 'ip_address'));
if (count($unique_ips) > 3) {
// Potential account sharing
flag_user_for_review($user->ID, 'Multiple IPs in short timeframe');
wp_mail(
$user->user_email,
'Security Alert: Multiple Login Locations',
'Your account was accessed from multiple locations. If this was not you, please change your password.'
);
}
}, 10, 2);Video Content Protection
Protect course video content:
function get_video_url($video_id, $user_id) {
// Verify enrollment
$video = get_video_record($video_id);
if (!is_enrolled($user_id, $video['course_id'])) {
return new WP_Error('not_enrolled', 'Enrollment required');
}
// Generate signed URL with expiration
$expires = time() + 3600; // 1 hour
$token = hash_hmac(
'sha256',
$video_id . $user_id . $expires,
wp_salt('auth')
);
return add_query_arg(array(
'video' => $video_id,
'user' => $user_id,
'expires' => $expires,
'token' => $token,
), home_url('/lms/video/stream/'));
}
// Disable right-click and download on video pages
add_action('wp_footer', function() {
if (is_singular('lesson')) {
?>
Certificate Security
Secure course completion certificates:
function generate_certificate($user_id, $course_id) {
// Verify course completion
if (!has_completed_course($user_id, $course_id)) {
return new WP_Error('not_completed', 'Course not completed');
}
// Generate unique certificate ID
$certificate_id = 'CERT-' . strtoupper(bin2hex(random_bytes(8)));
// Store certificate record
$certificate = array(
'id' => $certificate_id,
'user_id' => $user_id,
'course_id' => $course_id,
'issued_at' => current_time('mysql'),
'hash' => hash('sha256', $certificate_id . $user_id . $course_id . wp_salt()),
);
save_certificate($certificate);
return $certificate;
}
// Verification endpoint
function verify_certificate($certificate_id) {
$cert = get_certificate($certificate_id);
if (!$cert) {
return array('valid' => false, 'message' => 'Certificate not found');
}
$expected_hash = hash('sha256', $cert['id'] . $cert['user_id'] . $cert['course_id'] . wp_salt());
if (!hash_equals($expected_hash, $cert['hash'])) {
return array('valid' => false, 'message' => 'Certificate tampered');
}
return array(
'valid' => true,
'student' => get_user_by('id', $cert['user_id'])->display_name,
'course' => get_the_title($cert['course_id']),
'issued' => $cert['issued_at'],
);
}Conclusion
LMS security requires protecting student records, securing course content, maintaining assessment integrity, preventing account sharing, and implementing certificate verification. Regular audits ensure ongoing compliance with educational data protection requirements.
S
Written by Sarah Chen
WP Folder Shield Team
