Tips On Security To Protect Your Drupal Site

Error message

  • Deprecated function: Array and string offset access syntax with curly braces is deprecated in include_once() (line 1439 of /home/gem4success/public_html/includes/bootstrap.inc).
  • Warning: unlink(/home/gem4success/public_html/sites/default/files/css/follow.css): Permission denied in drupal_unlink() (line 2386 of /home/gem4success/public_html/includes/file.inc).
Oct 24, 2018

Security is one of the major milestone while doing Website Development. Drupal itself is very secure. We need to consider this in advance when we planned to develop a website, It may be your website is not at risk, but a simple loose point may put you on risk, and once this is hacked, you will have to face major issues and it will cost you allot, so it's better to secure your website prior to production. I have faced this issue with my website and I did solution on that so I wanted to share my experience with this blog.

Following are the points which you need to keep doing.

Always back up your website! If you maintain regular backups this allows you to easily rollback if you are attacked, and restore your CMS. We also recommend running backups before you update your Drupal core and modules. Some managed Drupal hosts, such as Pantheon, offer one-click backups and restore as well as dev environments. This is great for testing things before pushing to production. Or you could also test your updates locally using software like XAMPP or MAMP.

There is also a very popular free backup and migrate module available for Drupal that we recommend. This module features:

  • Backup/Restore multiple MySQL databases and code

  • Backup of files directory is built into this version

  • Add a note to backup files

  • Smart delete options make it easier to manage backup files

  • Backup to FTP/S3/Email or NodeSquirrel.com

  • Drush integration

  • Multiple backup schedules

  • AES encryption for backups

 

Keep your Drupal Installation Updated: Drupal always providing you notification about new release or security updates so don't ignore that even your website have no issue, please update it first. Update Manager will provide you all the details about current version and what kind of update is released. So this functionality should always be enabled.

 

Block Access to Important Files

You can restrict the access to some sensitive files like authorize.php file, upgrade.php file, cron.php file and install.php file via .htaccess. This way no one except you can enter the core files of your site. See example below.

<FilesMatch "(authorize|cron|install|upgrade)\.php">
Order deny, allow
deny from all
Allow from 127.0.0.1
</FilesMatch>

 

Security Configuration: Drupal is providing us allot of things to be done in configuration. There are number of contributed modules which can help you with security, one of them is Security Review module which you can use to check security of your website. This will provide you about file system permission which always an issue, Text formats don't allow dangerous tags, php or JavaScript content, safe error reporting, secure private files, only safe upload extension allowed, large amount of database error will also harm your website.

 

HTTPS: This is one of the major things which is not only with Drupal based websites but website build using any technology need to consider, But on every website this can't be used. So this needed to be configured on ecommerce, government or any other website which contain important information.

Secure Custom Coding: Anyone can write insecure code, but we need to learn how to write secure code and review our existing website code for any issue. Here you can use Coder Module which will help you to find SQL injection problems.

 

Input Format & Permission: This is very important that if you have enabled input format which allows you to write php or JavaScript coding then you need to take care of permission.

 

Secure Password of Userd ID 1: When you do installation of Drupal you are granted with user 1 which is super admin and this user have ability to do anything on Drupal website, so this user password should be very secure and should be changed time to time, also don't reuse the password.

 

Server Security: Other than Drupal security you need to be aware about your server, You need to check that your server is secure or not. You should apply all possible security update on your server.

As you can see there are many ways you can harden your Drupal security. From keeping Drupal core and modules up to date, being smart with usernames and passwords, using security plugins, secure connections, database security tricks, two-factor authentication, file permissions, using an SSL certificate and more. Many of these recommendations can be implemented within a matter of minutes and you can rest easy knowing your Drupal site a little more secure from intruders and hackers.

 

Have any other good Drupal security tips that you think we missed? If so, let us know below in the comments!

We Have Trained People From

FCA, Moor Plantation, Ibadan
Meed Networks, Abuja
NLNG
Oyo State Gov
University of Ibadan
Back to Top