About
MDL Shield is a security focused code review service for Moodle plugin developers. We help you ship secure, trustworthy plugins by identifying vulnerabilities before they're exploited — protecting both your users and your reputation.
Every review is an AI-assisted source code audit that examines how your plugin handles security, data access, and adherence to Moodle's coding standards. Our Verified Review tier adds expert human verification to eliminate false positives and provide actionable fix guidance.
We're committed to keeping security accessible. MDL Shield will always be free for non-commercial open source plugins. The Moodle ecosystem thrives because of its open source community, and we believe every plugin developer should have access to security tooling regardless of budget.
Why We Exist
We're a group of Moodle veterans who've spent years developing plugins and hosting Moodle at scale. We built MDL Shield because we believe plugin developers deserve better tools for security assurance.
The Moodle plugin directory review process catches many issues, but it wasn't designed to be a comprehensive security audit. Developers are left to self-assess their own code, and administrators have limited visibility into the security posture of what they install.
MDL Shield bridges that gap. Get a detailed security report, fix any issues, and ship with confidence. Our free tier gives every open source developer access to AI-powered security analysis, and our Verified Review tier provides the human expertise needed for production-critical plugins.
How It Works
We track every plugin listed on the Moodle plugin directory. To get started, sign up and verify that you're the maintainer of your plugin. Once verified, your plugin appears in your dashboard with access to security scanning based on your plan.
Our system performs a full source code audit, examining every PHP, JavaScript, and template file in the plugin. Reviews don't rely on pattern matching alone — the entire codebase is examined in context. For each finding, the reviewer traces the data flow, assesses the surrounding code, and determines whether the issue is exploitable in practice.
Each finding includes: what the code does, which rule it violates, a realistic risk assessment, who can exploit it (unauthenticated, or which authenticated roles), and a severity classification.
Publication & Badges
You have complete control over your review results. We will never publish a review without your explicit consent. When you're ready, you can choose to make your results public — demonstrating to administrators and users that your plugin has been independently reviewed.
Published reviews earn a security badge you can display on your Moodle plugin directory page, your Git repository, or your own website. The badge shows your plugin's current security grade and links back to your published reviews on MDL Shield.
What We Check
Reviews cover a broad range of security concerns specific to the Moodle environment, from common web vulnerabilities to Moodle-specific patterns around access control, data handling, and API usage. Our analysis evolves continuously as we encounter new patterns and refine our approach.
The best way to understand what a review looks like is to see one. Check out our sample report for an example showing the kinds of findings, severity ratings, and fix guidance you can expect.
Disclaimer
Reviews are AI-assisted and may contain inaccuracies. They are intended as a first-pass audit to surface potential issues, not as a guarantee of security or code quality. Findings should be verified before acting on them. The absence of a finding does not indicate the absence of issues.
MDL Shield is an independent project and is not affiliated with, endorsed by, or associated with Moodle Pty Ltd. Moodle™ is a registered trademark of Moodle Pty Ltd. All use of the Moodle name on this site is for descriptive purposes only, to identify the software ecosystem our service supports.