Drupal Security Overview

In this overview article, we will discuss different measures you can take to help secure you Drupal based website. Drupal is a powerful content management system (CMS) and is one of the most widely used CMS’s on the internet. Because of its popularity, lots of people try to find exploits to breach sites using Drupal.

Below we have outlined some of the basic steps you can take to help prevent a large majority of possible exploits.

  • Passwords
    • Make sure you use strong, hard to crack/guess passwords on all of your sites. You should avoid using words as passwords and it should be a mixed set of characters with no less than 10 characters in length. It is also HIGHLY recommended that you do not use the same password for different aspects of your site. For example, do not use the same password for your administrator login as your MySQL password. Try to use different password whenever possible! This will help isolate breaches (if they happen) to just one or two services rather than your entire site/hosting account.
    • For more information about secure passwords, please see our dedicated article on the topic here.
  • Updates
    • You should always be on the lookout for software updates for your Drupal website. A large majority of updates include security patches that help prevent known exploits. Another thing to keep in mind is that once an update goes live, the change log that is published by Drupal include all the details about any security vulnerabilities making the exploit essentially public knowledge. This is bad because it allows people to learn and possibly take advantage of Drupal websites that are not updated.
    • For information on how to update your Drupal website, please click here.
  • Administrator Username
    • It is recommended that you not use the default admin username because many exploits take advantage of this. It also makes it easier for attackers to attempt brute force and dictionary password attacks because they are using the admin username.
    • For information on how to change your administrator username, please click here.
  • Plugins/Modules
    • If you use plugins for Drupal, make sure you keep your plugins up to date. Like Drupal itself, plugins could have vulnerabilities that could open security holes in your website. If an update becomes available, we recommend that you install it.
    • Be aware that not all plugins are alike. Because plugins can be developed by anyone, the security and coding practices may not be the best. Because of this, we recommend that you only use plugins that have good reviews and no negative comments regarding security. You could also hire someone with experience to review the code for the plugin to help spot any security holes before you install it on your production site.
  • Themes
    • Like Plugins and Modules, themes too can have vulnerabilities in the code. Make sure you only use top rated themes, or themes that have been vetted by Drupal experienced coders. Remember you can always search the web for the name of the theme to see if it has had any negative reviews.
  • Backup!
    • Make sure you have an active backup plan. If for some reason your site were to be breached, it is possible that your data could be lost. You can prevent this by backing up your site often and storing it off site, either in your home, or at an online backup provider.
  • Community
    • Drupal has a very active community that can be helpful in times of need. Use their community site to search any problems you may be having with a plugin or a Drupal feature. Also keep an eye out for community members posting security issues for the version of Drupal you are using.
  • SSL/HTTPS
    • If you actively login to your site to make changes, it may be a good idea to purchase a SSL certificate to help secure your login pages. This will help prevent people from stealing your password while in transit to the server.

If you have any recommendations for topics that should be added to this article, please leave a comment below.

Posted in