20 Mar 2012

How to increase your Drupal website security ?

 Drupal 7 as becomes really popular, it also become a larger target for attackers. This is mostly configuration tips because so many administrators often made misconfiguration :  

  1. Avoid using PHP Filter module, You can disable it or remove it entirely. To avoid simply unusual PHP code to be inserted and take over your website.
  2. "User 1" is the first user created during the Drupal installation. He has all the privileges. You have to choose a stronger password and use this user only when you need too.
  3. Remove or block access to unnecessary files (authorize.php, upgrade.php, cron.php and install.php). You can restrict the access through .htaccess :

    <FilesMatch "(authorize|cron|install|upgrade)\.php">
      Order deny, allow
      deny from all
      Allow from 127.0.0.1
    </FilesMatch>

  4. Enable the watchdog module to keep logs and be able to track any unusual events. You can use Syslog to allow Drupal to write the standard log system on your server.
  5. Any user with the following permission is a threat for your website security :
    • Administer filters
    • Administer users
    • Administer permissions
    • Administer content types
    • Administer site configuration
    • Administer views
    • Translate interface

    Limit these rights to the administrator role. You need to set the minimum level of access to your users.

  6. Avoid any development modules on production website. These modules are not stable and absent to the security support.
  7. Disable unused module after deployment such as Views UI. This is protecting your website of accidentally altering views and enhance performance. You can also remove unused core module containing possible future vulnerabilities.
  8. Use a dedicated database for your Drupal installation for data storage. Be sure to not have remote connection to your database. Use a secure account with the minimal rights to operate.
  9. Setup the necessary permission to your files and folder access. Restrict the access to the settings.php files (containing all the credentials).
  10. Limit upload file types to the one you actually upload and avoid any executable source code to be downloaded (HTML, PHP, ...).
  11. Limit the spam on your website by limiting the creation of user by anonymous and activate their account by email confirmation. Use CAPTCHA modules (Mollom) to avoid spam into the comments.
  12. Keep your  installation patched and up to date. Be aware of securities vulnerabilities by receiving update from the Update module. 
  13. Be sure of the vulnerabilities of contributes modules. Install module widely used by the community, check the security issue queue.
  14. Backup your files and database and be sure to test your backup and restore procedure. You can automate database backup with the backup and migrate module.

You can run the Security review module to automate some securities checks.

About the author

Consultant, Web strategist, and Drupal enthusiast, I use open source software to build application that connects people and spread ideas. I believe that internet can lead to powerful changes for progressive organizations, and for our future.

Keep in touch here