Open source software security

Tips for Securing Drupal

30 November -0001

1. Keep your Drupal installation and modules up to date. Subscribe to the security mailing list at http://drupal.org/security. When you see announcement be sure to upgrade in a timely manner.

1.5. Don't use module versions marked as 'dev'. Development versions of modules change rapidly and aren't very likely to have undergone much in the way of a security audit. You're much safer using production grade modules. Check the bug reports for modules you're thinking of using to get a sense of the number of issues the module has and whether or not bug reports are being addressed by developers.

2. Be sure the MySQL username and password is not the root username and password. Create a new MySQL account just for Drupal and grant it permissions only to the Drupal database. This step insures that any SQL injection vulnerability that might sneak into your site can't utilize the "join select load_file()" attack to expose data from your server.

3. The files directory. Be sure that Drupal is set to handle your files. This way you can set the permissions to your files directory so someone who managed to get a PHP file into the directory couldn't access it. To do this log into Drupal as the administrator and select Administer -> Site configuration and set the "Download method" to "Private."

4. Get rid of PHP input type. There's rarely any need to allow PHP code to be put into content. This can be a real problem if a user account get's hijacked and the attacker can enter PHP code into comments or content. You can solve the problem by restricting "PHP code" input or better yet by deleting that option. To delete PHP input log in to Drupal and click Administer -> Site Configuration -> Input formats. Then click the delete' link next to "PHP code."

5. Ensure that your .htaccess files are working! Without the .htaccess working your site leaks all sorts of information valuable to attackers. The easiest way to check if your .htaccess files are working is to test out Clean URL's. Log into Drupal and go to Administer -> Site configuration -> Clean URLs and use the link there to test support. If you can enable or disable clean URLs already then you've already passed the test and your .htaccess files are working already.

6. Secure the user login. Use the secure pages module to ensure that your login form posts to a secure page. Unless you do this all your users credentials are flying over the wire unencrypted, meaning if one of your users is sitting in a coffee shop on wireless an attacker could steal their password. This has implications for the threats listed above.

7. The upload module allows content creators to upload files such as images or files that are attached to their content. It is important to restrict the types of content that can be uploaded. The upload module is not enabled by default, but it is a core module (so every site has it). If your site has this module enabled be sure to restrict the types of files that can be uploaded by logging in and going to Administer -> Site configuration -> File uploads. You should restrict permission to access the file upload administration by going to Administer -> User management -> Access control and carefully reviewing the permissions in the 'upload module' section.

8. Keep an eye on your logs. This is a common sense step that many people don't do regardless of the system. Enable the watchdog module and keep an eye on log entries, especially your 'access denied' and 'page not found' errors. These may be signs of other trouble.

9. Be sure your platform, web server, PHP and database are up to date, patched and protected. The last thing you want is for your Drupal site to be compromised because of another system.

10. Enable https for logins and cookies. This keeps your users' sessions secure. You can follow the tips ag http://drupal.org/node/53567 to enable SSL for user sessions.