Drupal Site Security


In this chapter we will study about how to secure the Drupal site. This chapter specifies security configuration suggestions for site administrators and alerts the administrator how to secure the site.

There are many contributed modules which help you with security configuration in which Security Review module automates testing the mistakes that makes your site insecure.

  • You can report a security issue directly with Drupal core, contrib or Drupal.org by sending email regarding the issue. The security team will help you to sort your issue with the project maintainer.

  • Secure your file permissions and ownership by configuring the server file system, as the web server (e.g. Apache) should not have access to edit or write the files, it should be read only the files, later which gets executed.

  • The security risk levels are based on NIST Common Misuse Scoring System (NISTIR 7864), so that the organization can verify how to manage the problem. Below are the points that will help to understand the security risk level by assigning the number between 0 to 25:

    • 0 to 4: Not Critical.

    • 5 to 9: Less Critical.

    • 10 to 14: Moderately Critical.

    • 15 to 19: Critical

    • 20 to 25: Highly Critical.

  • While accepting the sensitive information like credit card number, the PCI(Payment Card Industry) defines a number of Data Security Standards. Though this is not Drupal specific, it is important for each Drupal developer be aware of this. To know more about the PCI issues you can refer this link Drupal PCI Compliance White Paper.

  • The users are allowed to be deleted or even for the users to delete themselves in Drupal site which can lead to an unexpected situation sometimes.

  • Enable HTTPS, which is more secure to send sensitive information to a website such as:

    • Credit cards

    • Sensitive cookies such as PHP session cookies

    • Passwords and Usernames

    • Identifiable information (Social Security number, State ID numbers, etc)

    • Confidential content

  • Enhance your security using contributed modules. Here are some standard module categories such as:

    • Security category

    • User access / authentication

    • Spam prevention modules

  • You can disable the roles and permissions of the user by installing the Secure Permission module.

  • The security operation can be improved in the login operation by installing the Login Security module.

  • The site administrator can secure its site by making it as private and by restricting the site to limited access for the users by the role. Due to this process, your site will not be reachable to search engines and other crawlers(to create an index of data in www).