Web devs have seen many articles detailing how to secure popular scripts, but where’s the equivalent guide if you prefer the CMS Drupal? These steps are user-friendly, even if you’re new to the system. Keep up with each of these activities for every install to prevent hackers from authorizing your site. You’ll sleep better at night.
1. Whether your installation or an modules has an upgrade, do it! Outdated scripts give hackers more time to find their way in. Upgrading Drupal takes several steps, and while you can safely upgrade between minor versions — from 7.1 to 7.2 for example — upgrading between major releases such at 6 and 7 is more in depth.
Before you upgrade, backup your database, put your site into Off-Line mode from the site maintenance page of your control panel. Go to “Themes,”change all your themes the Garland and disable non-core modules from the Modules page Log in to your site via FTP and delete the file “sites/default/default.settings.php”. Delete the other Drupal files and directories, leaving the “Sites” directory intact. Delete any uninstalled modules.
Download the newest version of Drupal, unzip the archive and upload it to the root of your website. If you’ve made changes to files such as .htaccess, repeat the changes with the new files you’ve downloaded. In your FTP program, right-click “settings.php”, choose the Permissions of CHMOD option and make the file writable. Run “update.php” in your file. Its location may be similar to “yourdomain.com/update.php”. The upgrade will run, and you can verify its success from the Status Report page. Take your site out of Off-line Mode after upgrading.
An alternative method is to use Drush Site Upgrade to upgrade your Drupal install and installed modules.
2. Ditch modules that aren’t actively remained. You might even find one that does what you want even better! To do so, visit the Modules page, which is often located at “yourdomain.com/admin/modules”. Uncheck all of the options next to a specific module and save the configuration to disable it. Click the Uninstall tab, click to place a check next to the disabled module and click “Uninstall.”
Users and Permissions
3. Administrator permissions can apply to any role, even anonymous users. Proceed with caution. Check on your current permissions by logging in to “httpyourdomain/com/?q=user/login”. In Drupal 5.x or 6.x, visit “Administration > User management” and choose “Roles” to create a role, “Users” to edit or create individual users or “Permissions” to edit permissions for existing roles. For example, you must create an Editor role before adding editors to a site. Other roles include administrator and user. Drupal 7 provides the same options in “Administer > People”.
4. You’ll probably create a few FTP users who not only have access to your Drupal install but to your host’s control panel and other files. Limit access for users who you don’t implicitly entrust. If your server allows it, use secure FTP, too. Your FTP program will include an option to log in securely.
5. Avoid sending out passwords in user emails. You can’t guarantee another’s email security, which could spell trouble for Drupal security and the University of Pennsylvania recommends disabling this option. Go to Administer > User management > User settings to disable passwords in emails.
Protect Against Harmful Files and HTML
6. If you accept uploads on your site and don’t limit extensions, you could be ripe for a malicious script to run rampant on your site. Log in to Drupal to change allowed images; go to “Structure > Content types > Manage Fields”. Click “Edit” next to Images tor remove image files types. To allow uploads such as PDFs, go to “Administer > Site Configuration > File Uploads”. Remove HTML and script files from the permitted file extensions before clicking the save button.
7. Similarly, you don’t want to give any users the option to use HTML code to manipulate your Drupal-powered site in a negative way, so you may want to revoke these permissions altogether or consider limited anchor usage to benign tags such as italic or bold text. HtmlLawed is a useful module for blocking some tags and showing users which HTML they can use.
8. Like with any script, certain files and folders require the server to write them. However, you don’t want to allow anyone just write or run certain scripts on your blog, so right-click any file on your server in your FTP program and choose “CHMOD” to view the current permissions. Files such as “settings.php” need permissions of “644,” while other files and directories should have stricter “755” permissions.
9. If you think you’ve got everything under control, install and run the Security Review module. The module will perform a check for common vulnerabilities, allowing you to make quick work of those holes by following the prompts.
Plan for the Worst
10. While no one wants to consider that their site could be vulnerable, you must hope for the best but plan for the worst. This means making frequent backups that you can upload in the event that someone hacks into your Drupal site. Backup and Migrate is one such module that allows you to schedule backups and import saved databases.
Make also sure to use a reputable malware scanning service, like StopTheHacker to regularly scan your live Drupal website for malware, known and unknown, so in the event of getting infected you can act fast and have the harmful malware removed easily.