secure

How to keep your Drupal website secure

Date :
28 November 2014
Authored by :
Kuriakose Kurian & Stephen Ollman

More than 80% of websites (built with any technology) are vulnerable to some level of attack. Site attacks are normally performed by automated scripts that look for vulnerabilities, which then flag a site to a hacker looking to exploit that vulnerability in the code.

Many businesses simply have their website built and then leave it there for the world to see, trusting that it’s working around the clock, presenting their organisation the way they had originally envisaged. A website is a vital part of any business and should be considered as a living thing and like any living entity needs to be fed and maintained in order to operate to the best of its ability. Far too often websites, starved of content and attention, are doing more damage than good to the reputation of a business. So it’s very important to make sure your website is secure and functional.

Drupal itself has an excellent reputation in maintaining the security and functionality of its CMS, compared to many other systems, both open source and proprietary. This commitment to security and functionality is the real success of the Drupal CMS.

Below I’ve listed a few basic tips that will help you keep your Drupal site (or any website for that matter) as secure as it can be.

  1. Strong passwords/passphrases
    The number one rule to keeping a website secure is to ensure that any accounts that have higher access privileges are given a strong password/passphrase. Far too often have systems been compromised by site admins not using complex passwords/passphrases. It cannot be stressed enough that all ‘add/edit/delete’ accounts should employ a complex password or at the very least a long passphrase, containing a sequence of words, numbers or characters.
     
  2. Ensure your software up-to-date
    This is a general rule for all websites regardless of technology. This includes all components, including the OS, firewalls, applications (PHP, MySQL etc) and code. Keeping software up to date ensures that security vulnerabilities that have been identified no longer exist for hackers to exploit. Whilst it’s important to update your software, it’s actually more important to do it as soon as practically possible. Some organisations, like OPC, offer monitoring services that can ‘pro-actively’ monitor a sites application components and ensure that they are kept up-to-date in a timely manner.
     
  3. Automated vulnerability scanners
    It's always a good idea to scan a website using automated vulnerability scanners, which give a very good overview of the westie’s status. PSARN is one of Australia’s popular third party providers. Many hosting companies across Australia provide similar services; you may need to check with your webhosting provider which is best for your situation. You can use free penetration testing tools with a number of free and commercial products available online. Netsparker and Openvas are popular tools.
     
  4. Use best practices for code development
    If you are developing your own custom code/module as part of a project then the following should help to ensure that your code doesn’t offer a vulnerability that can be exploited.
    • Cross site scripting– Also known as XSS, is an application layer level hack, were attackers try to pass scripted code to the server via a web form. Hackers are constantly experimenting with new techniques looking to compromise vulnerabilities. It’s always best to employ form validation to ensure that data submitted by the form contains expected data types. Click here to learn more about the XSS.
    • Error Messages– You must be careful about the information you give in your error message. For example if you have a login form on your website and a user enters a wrong password, you should use a generic message like “Incorrect username or password”, rather than “password does not match”. Try not to give to much away about the underlying technology behind your application.
    • Form validation– It is recommended to perform online form validation at both client and server side when possible. Simple validation can be performed in the browser, whilst more complex data validation should be performed server side to avoid unexpected data’s such as JavaScript’s or similar unwanted HTML special characters.
    • SSL– Utilize the secure socket layer and the HTTPS protocol to ensure that data is transferred between the user and webserver in a secure encrypted manner. When passing sensitive/secure information (ie credit card details) it is highly recommended  that an  SSL certificates be purchased and assigned to your site. This offers the best protection to ensure that data transferred is not usable to anyone else other than the intended website.
  5. Register for security updates
    Whenever possible you should subscribe to receive security alerts for your chosen product. This ensures that you are notified in a timely manner when vulnerabilities and found and patched. To subscribe to Drupal’s security announcements mailing list simply follow the link and enter your email address. Another approach is to follow Drupal on Twitter. Drupal also provides the RSS feed for its security updates here. In the event your Drupal site has been hacked or exploited Drupal offers some good advice that may help you.

So when securing a website, check the following:

  • Strong password/passphrase
  • Up-to-date software
  • Regular automated scans
  • Best practice code development
  • Register for security updates

References:

 

https://www.drupal.org/security/secure-configuration
https://www.drupal.org/security-team
https://www.acquia.com/blog/keeping-drupal-secure