Security settings
  • 21 Jun 2022
  • 10 minutes to read

Security settings

Article Summary

Totara has a number of configurable site security settings. As a Site Administrator you can use these settings to determine how users can access the site, including password and login requirements, site policies, upload limits and more.

You can access your site's security settings via Quick-access menu > Security > Security settings. 

The Security settings page includes a number of site-wide settings relating to various aspects of site security.


Force users to log in for profiles


Force users to log in to view user pictures

If enabled, users must log in in order to view user profile pictures, and the default user picture will be used in all notification emails.


Prevent multiple logins by the same user

If enabled, a user can only log in to their account from a single location. If a second account logs in, the first one will be automatically logged out.

Enabling multiple logins allows Site Administrators to 'log in as' a logged-in user while providing live technical support. 

Open to Google

If you enable this setting then Google will be allowed to enter your site as a guest. In addition, people coming into your site via a Google search will automatically be logged in as a guest. Note that this only provides transparent access to areas of your site and courses that already allow guest access.


Allow public access to catalogue item pictures

Enabling this setting allows external web services to access the catalogue images from your catalogue using the image's URL. This allows these catalogue images to be displayed in the catalogue content of other systems. If you have set up any integrations, such as a Microsoft Teams app, these can access catalogue images when this setting is enabled.

This setting is disabled by default. Please note that this allows anyone to access your catalogue images if they have the direct URLs.

Profile visible roles

List of roles that are visible on user profiles and participants pages.


Maximum uploaded file size

This setting specifies a maximum size for uploaded files across the site. This setting is limited by the PHP settings post_max_size and upload_max_filesize (in php.ini), as well as the Apache setting LimitRequestBody. In turn, maxbytes limits the range of sizes that can be chosen at the course level or module level. If Server Limit is chosen, the maximum allowed by the server will be used.

Upload file sizes can be restricted in a number of ways: 

  • Server level 
  • Site level 
  • Course level 
  • Activity level


User quota

The maximum number of bytes that a user can store in their own private file area. The default is 04857600 bytes, or 100MB.


Disable consistent cleaning

Turn off Totara's consistent content cleaning.

You can find out more about content sanitisation in Totara 13 onwards in the developer documentation.

Allow EMBED and OBJECT tags

As a default security measure, normal users are not allowed to embed multimedia (like Flash) within text using explicit EMBED and OBJECT tags in their HTML (although it can still be done safely using the mediaplugins filter). If you wish to allow these tags then enable this option.

This option will only appear if the Disable consistent cleaning setting is enabled.

Maximum time to edit post

Allowing users this cooling-off period after submitting a forum/glossary entry post allows them time to review content, check spelling and grammar.

Forum posts still in the editing period are visible in the corresponding forum, but the message will not be sent out to any subscribed users until the edit post period has passed.

Allow extended characters in usernames

This option must be enabled for the site to use email addresses for usernames.

Site policy URL

The URL can point to any type of file anywhere online that can be accessed without a login to your Totara site.

  • It is recommended that the site policy is on the same domain as Totara, as Internet Explorer users will see a blank screen when the site policy is on a different domain.
  • The site policy will be displayed in a frame. You can view it via the URL
  • If email-based self-registration is enabled on the site, a link to the site policy is displayed on the signup page.

It is not recommended that a Page resource is used as a site policy since the site header will be repeated in the iframe.

This option will not appear if Enable site policies is checked under Quick-access menu > Configure featuresAny policy linked here will be overwritten by the new site policy.

Where possible you should use the dedicated site policies functionality, which includes features such as multi-language policies, version control, and reporting on policy consent.

Site policy URL for guests

Access of non-logged-in users can be prevented with the forcelogin setting.

This option will not appear if Enable site policies is checked under Quick-access menu > Configure features. Any policy linked here will be overwritten by the new site policy.

Keep tag name casing

Check this if you want tag names to keep the original casing as entered by users who created them. If checked, then tags like the following will be displayed: RUGBY, gUiTaR, totara

If unchecked, then all tags will be displayed as follows: Rugby, Guitar, Totara.

For English, you may want to leave this setting off. For Japanese, no changes are made either way. For languages where this kind of capitalisation changes the meaning, it is best to keep this option enabled.

Profiles for enrolled users only


Cron execution via command line only

Running the cron from a web browser can expose privileged information to anonymous users. Therefore it is recommended to only run the cron from the command line or set a cron password for remote access.


Cron password for remote access

This means that the cron.php script cannot be run from a web browser without supplying the password using the following form of URL:

If this is left empty, no password is required.


Account lockout threshold

After a specified number of failed login attempts, a user's account is locked and they are sent an email containing a URL to unlock the account. Setting this to No means there is no threshold and an account attempting to log in can do so an unlimited number of times.


Account lockout observation window

Observation time for lockout threshold, if there are no failed attempts the threshold counter is reset after this time. This is the counter for how long to watch for more failed attempts by an account trying to log in even after being locked out. The counter will reset at each attempt and last this long.


Account lockout duration

Locked-out accounts are automatically unlocked after this duration. An account may also be unlocked by a Site Administrator via Quick-access menu > Users > Accounts > Browse list of users.


Password policy

Turning this on will make Totara check user passwords against a valid password policy. It is highly recommended that a password policy is set to force users to use stronger passwords that are less susceptible to being cracked by an intruder. Use the settings below to specify your policy (they will be ignored if you set this to No).

If a user enters a password that does not meet the requirements, they are given an error message indicating the problem with the entered password.

Enabling the password policy does not affect existing users until they decide to or are required to change their password. A Site Administrator can force all users to change their password using the Force password change option with bulk user actions.

The password policy may also be applied to enrolment keys by ticking the Use password policy checkbox in the Self-enrolment settings.

Password length

Passwords must be at least this many characters long.



Passwords must contain this many digits.


Lowercase letters

Passwords must contain at least this many lowercase letters.


Uppercase letters

Passwords must have at least this many uppercase letters.


Non-alphanumeric characters

Passwords must have at least this many non-alphanumeric characters.


Consecutive identical characters

Passwords must not have more than this number of consecutive identical characters. Enter 0 to disable this check.


Password rotation limit

Number of times a user must change their password before they are allowed to reuse a password. Hashes of previously used passwords are stored in local database table.

This feature might not be compatible with some external authentication plugins.

Maximum time to validate password reset request


Log out after password change

By default, users can change their password and remain logged in. Enabling this setting will log them out of existing sessions except the one in which they specify their new password. This setting only applies to users manually changing their password, not to bulk password changes.


Group enrolment key policy

Turning this on will make Totara check group enrolment keys against a valid password policy.


Disable user profile images

Disable the ability for users to change user profile images.


Email change confirmation

Require an email confirmation step when users change their email address in their profile. 


Remember username

Enable if you want to store permanent cookies with usernames during user login. 

This will store permanent cookies, and in some countries may be considered a privacy issue if used without consent. 

Strict validation of required fields

If enabled, users are prevented from entering a space or line break only in required fields in forms.


Persistent login

If this is enabled then a Remember login option will appear on the login page. Any user logging in can check this box to enable a persistent login, meaning that they won't get timed-out and have to log in again.

This setting works by seamlessly re-logging a user in after the session expires. Although any forms that were being completed should still be able to be submitted when the new session loads some other information may be lost, such as filters in report builder.

The user will not be able to notice when the new session is started.

The Remember login option replaces the previous Remember username option.

Additionally, it is worth noting that when this settings is enabled it leads to a warning on the security report. This is because when persistent logins are enabled the standard session timeouts are ignored and it sets a permanent browser cookie. This cookie is later used to automatically re-log in the user after the browser restart or session timeout.

Password reset behaviour

If you forget your password then you can request a new one. However, how this is handled by Totara will depend on if this is your first request or not. 

  • First request: If this is the first reset request then Totara will send the reset email. 
  • Subsequent request (first expired): If this isn't the first reset request, but the previous request has expired (set by the Maximum time to validate password reset request setting), then Totara will send a new reset email. 
  • Second request: If this is the second reset request then the system will send the reset email. 
  • Third or more request: If this is the third (or greater) reset request then the email will not be resent. 

This means that if you forget your password, you can immediately request two resets, however for subsequent requests, users will have to wait for the previous requests to expire.

© Copyright 2023 Totara Learning Solutions. All rights reserved. Some content originally obtained via GPLv3 license and continues to be available under GPLv3. All other content is the sole copyright of Totara Learning Solutions. 

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.