Creating Secure Drupal Sites

If you configure your Drupal site correctly and follow security updates, you will have a secure Drupal site.

Drupal is already inherently secure due to its core structure, but sites need to be configured correctly. If you do not create your websites securely and give extra permissions, you may experience security problems. Security is not only about coding.

Drupal Core

Keep your Drupal core up to date, especially follow security updates closely and apply them to your site. You can follow the updates at https://drupal.org/security or if you are an active twitter user, you can follow the updates on twitter @drupalsecurity.

Strong Password

Password management is the most common source of security-related problems. An unstrong password can be easily cracked and your website can be hacked. Install the Password Policy module and force other users on your site to create secure passwords. You can also require passwords to be renewed after a certain period of time. 

File Uploads

Always check the files uploaded by users and set some limitations. Do not forget to make settings such as file sizes, types of files. Also, do not forget to check the roles of users for content types, do not give unnecessary authorisation.

Security Review

Install the Security Reviews module and take the necessary measures on your website according to the analysis results of this module. This module is especially useful for reminding us of security-related checks that we have overlooked. Although this module is very useful, do not use it on live sites, turn off the module and delete it from the file system when going live.

Secure Coding

Make sure that the custom modules and themes you develop for your website do not contain security vulnerabilities, scan your sites for vulnerabilities such as XSS, SQL Injection with applications such as netsparker. Use Drupal APIs, especially in the module development phase, Drupal helps your code to be more secure.