How to protect your Drupal site

Submitted by irek on Mon, 05/10/2010 - 21:46

This post provides some basic security tips for Drupal site administrators. You don't need any special programming skills to follow it.

Keep your site modules and core up to date

It's easy with Drupal 6. Update Status module will show you a warning message, when any update is issued:

Update warning message
Contributed modules provide not only new features, they also increase attack surface for your site

It would be better if module you going to install is popular. Than more people use the module than more possibility that some of them has reviewed the code and reported about vulnerabilities. Use http://drupal.org/project/usage to check popularity of the module:
Usage statistic

It's also useful to make a quick scan of contributed code for some key security points. See for proper implementations of Drupal API components like t(), l(), check_plain(), filter_xss_admin(), db_query() functions and placeholders for them.

If necessary, use extra security modules

 For example, Login Security  inserts a delay for each failed login attempt to prevent brute-force attacks, blocks a user after numbers of failed login attempts and alerts users about last usage of their accounts. But it's important to keep balance between security and usability, you don't want to overload users with a security obstacles, while they serf your site. 

Thoroughly set user permissions

Misconfiguration in those areas are easiest way to make your site insecure. For instance, to create a second user with all permissions included (site administrator), you have to create a new role with all those permissions and set that role to new user. But for inexperienced site admin one of the fastest way could be just check all the checkboxes for authenticated user role on a permissions page to make able another user (his friend) administer the site:
Insecure permissions
Consider that registration feature in Drupal 6 are open for everybody by default, misconfiguration showed above gives whole power of administrator to any authenticated user. 

Appropriate Input Formats and Filters for each user role

This is a great feature that various roles allowed for different kinds of HTML input. Limit the set of html-tags for low-level users (anonymous) to <strong>, <em> and <blockquote>.

So far, all of those tips won't give you 100% protection. Website security is always a combination of arrangements on a different levels of software architecture and social engineering. If you have build uncrackable installation of Drupal website, old version of Apache web server (or any other) provide to hacker easy way to get private data.

»