How to secure your Drupal site right now
Nowadays, you can’t go more than a few days without hearing about the latest hacking incident. From companies like Home Depot and Target, to online services like Google Gmail and Apple iCloud. Hackers are out there and they are lying in wait to exploit your sites and services. What is a site owner to do? Well, if you’re using the popular CMS Drupal, the following easy-to-implement Drupal security tips can help keep your site that much safer.
Improve Server Security First
Before we jump into Drupal specific solutions, you can start at your web server. An SSL certificate is a necessity if your site has e-commerce functionality or user login. The SSL Certificate will encrypt data between your users and your site, making it less likely for potential hackers to see sensitive information that is passed between the two. If your site is likely to receive Spam, or worse – Denial of Service (DDOS) attacks – setting up a CDN like CloudFlare is a must. Along with a Drupal module, CloudFlare’s CDN and security services use data collected from a collection of sites to protect your site against Spam, Malware Bots, and DDOS Attacks.
Improve Drupal Security
Now that our server is more secure, let’s move on to Drupal itself. The heart of Drupal (or any CMS) is its code base. Every Drupal Developer lives by the motto, “Don’t Hack Core.” This is not only advised to prevent headaches when updating, but, can prevent you from unintentionally opening security vulnerabilities in Drupal core. When a security vulnerability is discovered in Drupal core or Contributed modules, a Security Update is released. It is important to perform updates as soon as they come out in order to protect your site. The Drupal Security Team has a site at https://www.drupal.org/security that lists Security Advisories and gives you information on receiving e-mail updates.
Drupal SA-CORE-2016-005 – Moderately Critical Update to Drupal core 7.52 and Drupal core 8.2.3. #security
— Drupal Security (@drupalsecurity) November 16, 2016
Use Drupal Security Modules
Our favorite saying with Drupal is, “There’s a module for that.” Site security is no different. The following are just a few of the many security related modules that can help you manage security for your Drupal Site.
- Password Policy – http://drupal.org/project/password_policy
- Login Security – http://drupal.org/project/login_security
- Security Review – http://www.drupal.org/project/security_review
- ReCaptcha – http://www.drupal.org/project/recaptcha
You Can find more about enhancing security with contrib modules: https://www.drupal.org/node/382752
Secure your configuration
Beyond core code and modules, be sure that your configuration is secure. Using uncommon usernames for user and admin accounts is important. Also, preventing or requiring admin approval for account creation is a good idea. Doing so will prevent unwanted users from being able to create accounts. Be sure to review permissions for anonymous users and check that roles aren’t given too much leeway. Making sure that comment fields and user inputs are using the correct text format is an important step in preventing Cross Site Scripting (XSS) attacks. One of the easiest things you can do to prevent unwanted access to your site is to be sure to logout. Especially if you are using a public or shared computer to access your site.
What else can you do to secure your Drupal site?
In college, my Information Security professor used to say, “Nothing is 100% Secure.” Well, Drupal is no different. Last year Drupalgeddon, an SQL Injection, was found in Drupal. An update was quickly released and many prominent community members had posts suggesting methods to find and resolve the issue if your site had been compromised. Hopefully these tips can protect you against some common pitfalls and risks. However, this post won’t protect you 100% of the time so be sure to follow the Security Team on Twitter @DrupalSecurity and visit their website for more tips on protecting your Drupal Site.