Drupal - Site Security
In this chapter, we will study how to secure the Drupal site. This chapter specifies security configuration suggestions for site administrators and alerts the administrator how to secure the site.
There are many contributed modules which help you with security configuration in which Security Review module automates testing the mistakes that makes your site insecure.
You can report a security issue directly with Drupal core, contrib or Drupal.org by sending an e-mail regarding the issue. The security team will help in resolving your issue with the help of project maintainer.
Secure your file permissions and ownership by configuring the server file system, as the web server (e.g. Apache) should not have access to edit or write the files. It should be read only files, which gets executed later.
The security risk levels are based on NIST Common Misuse Scoring System (NISTIR 7864), so that the organization can verify how to manage the problem. Below are the points that will help you understand the security risk level by assigning the number between 0 to 25 −
0 to 4 − Not Critical.
5 to 9 − Less Critical.
10 to 14 − Moderately Critical.
15 to 19 − Critical
20 to 25 − Highly Critical.
While accepting the sensitive information like credit card number, the PCI (Payment Card Industry) defines a number of Data Security Standards. Though this is not Drupal specific, it is important for each Drupal developer to be aware of this. To know more about the PCI issues, you can refer this link Drupal PCI Compliance White Paper.
The users are allowed to be deleted or even for the users to delete themselves in Drupal site which can lead to an unexpected situation sometimes.
Enable HTTPS, which is more secure to send sensitive information to a website such as−
Sensitive cookies such as PHP session cookies
Passwords and Usernames
Identifiable information (Social Security number, State ID numbers, etc)
Enhance your security using contributed modules. Some standard module categories are −
User access / authentication
Spam prevention modules
You can disable the roles and permissions of the user by installing the Secure Permission module.
The security operation can be improved in the login operation by installing the Login Security module.
The site administrator can secure its site by making it private and by restricting the site to limited access for the users by the role. Due to this process, your site will not be reachable to search engines and other crawlers (to create an index of data in www).