Posted to Ben Finklea's blog on March 10th, 2010

A Drupal Website Security Guide

Successful cyber criminals are very good at what they do. That’s why millions of people each year get their identity stolen online and thousands of businesses are swindled by fraudulent internet shoppers. It doesn’t matter what kind of website you run, you need the proper security.

Just last Tuesday, March 2nd, Spanish police busted a ring of computer hackers who were responsible for infecting 13 million PCs with a virus that steals sensitive data from people, e.g. credit card information and social security numbers. The three men responsible are suspected of running the Mariposa botnet, which has infected PCs via Internet Explorer in 190 countries and more than half of the world’s 1000 larges companies, including at least 40 significant financial institutions. Three men. 13 million computers. Very good indeed.

Q: How are you locking your website’s proverbial doors at night?

I know that you may think this analogy may a bit silly and cliché, since hackers can strike at any time of day, through any cracked window, unsecured page, and dripping link. But it is a very important question, especially when someone’s business and financial well-being is at stake.

Allow me to reiterate: Three men, using a Microsoft browser, infected 13 million computers with a virus that steals your life. And how many aspiring hackers are there now that were just inspired by the Danny Ocean of Spanish cyber crime?

When you are building a website in Drupal, or any open source content management system for that matter, “hack-proof” security is absolutely essential. Which is why I hope you are reading this post before having a security issue, rather than after. Either way, you can relax now – this is a safe place. Take your time, enjoy your coffee, and review the following Drupal website security guide.

Drupal Security Issues

Whether you are a developer, site owner, programmer, or enthusiastic Drupal community member, a preliminary foundation of Drupal security knowledge is highly recommended. Because Drupal is open source, all the source code is available at all times. And with open source, bugs occasionally happen.

With thousands of Drupal modules available for configuration, and most of them from third-parties, it may not surprise you if there were a hole to wiggle through. These holes are opened when your modules and core version are not kept updated.

Drupal utilizes an open security model to publish system vulnerabilities, issue vulnerability patches, and get independent audits from third party tools and community members. Fortunately, Drupal has always fixed and updated with security patches as quickly as humanly (and publicly) possible.

Security Tips for Drupal Users

For the average Drupal site, the biggest step you can take to ensure that all your doors and windows are locked is by keeping your contributed modules and Drupal core updated to the newest version (As of publication, Drupal 6.12 and 5.18). Some past deployments of Drupal core and modules have significant changes – if changes aren’t made, security issues arise.

Here are seven more quick tips to ensure superior security on your Drupal site:

1. Set permissions on who can create accounts - is administrator oversight necessary in creating a new account?

2. Under Drupal user management, set different security privileges for anonymous and authenticated users.

3. Setup the firewall settings for your database server and web server to allow access on an as needed basis.

4. Assign new passwords for Drupal user 1, admins, databases, ftp, and other important accounts once every 90 days - at a minimum.

5. If you are making modifications to Drupal core or a module that future releases cannot be updated, create an independent security plan that covers these modifications when a patch is needed.

6. Run independent audits against your installation, such as Acunetix.

7. Use DrupalGardens or Acquia.

Mollom: Super-Spam Fighter II Turbo

Websites that encourage the most interaction are very successful. Comments, messages, and posts allow users to react, participate, and contribute to help develop an online community. But moderation is essential, as some comments are spammy and lowers the content quality of your community. It is also one of those cracked windows and unlocked doors we discussed earlier for bugs and hackers to crawl in through.

Enter Mollom, the Drupal super-spam fighter who kills comments, and contact form and registration form spam. It is a virtual “one-stop solution” for spam problems via CAPTCHAs (both image and audio), text analysis, and user reputations. (M. Bison’s got nothing on Mollom!)

Here are Mollom’s five sweetest moves:

• block comment form spam

• block contact form spam

• protect the user registration form against fake user accounts

• protect the password request form

• block spam on any node form, such as forum topics, articles, stories, and pages

Mollom is the brainchild of Drupal founder and project lead, Dries Buytaert. It is currently being used by nearly 20,000 sites that include Sony, Adobe, and NBC.

Just last month, Dries announced new features for Drupal’s Mollom module, version 1.11. Even more recently Dries discussed Mollom CAPTHCAs intelligence on his blog.

Drupal Security Team

If you discover a threat or weakness with Drupal, report it to [email protected]. Drupal’s security team resolves reported security issues, review code for potential weaknesses, provide assistance for security resolution, and provide documentation on how to write secure code.

To provide further information, learn how to report a security issue.

This is one of the best security teams there is, rocking around the clock so that Drupal doesn't get "hadoukened" by every hacker. In fact, Drupal's security team has been pounded out dragon punches left and right for years now.

Check out their past security announcements:

• Drupal Core

Contributed Modules

Public Service Announcements

Cracking Drupal: A Drop in the Bucket by Greg James Knaddison

Our good friend, Greg Knaddison, is a Drupal expert and has authored Cracking Drupal: A Drop in the Bucket. This is the first book that reveals the vulnerabilities and security issues that exist in Drupal sites and how to prevent them from ever happening. Learn how to build your Drupal site with hack-proof code and fix any potential vulnerabilities that develop.

This book is teaches you techniques for all skill sets: Drupal ninja to neophyte. It reads very well and walks you through effectively and efficiently. Here are a few nuggets of knowledge you will learn from this book:

• Prevent common ways that Drupal gets cracked

• Control the security of your site using Drupal's API

• Uncover parts of the attack surface that can expose your site

• Leverage resources from the Drupal Security Team

Cracking Drupal is available to buy right now.

Drupal Security Is Critical to Business

I hope you found this Drupal security guide helpful for learning about Drupal security policy, risk, and how to report or fix bugs. Volacci is by no means an expert in Drupal security, but with our years of optimizing Drupal sites, we have learned how to handle most security issues. Please use this post as a resource if and when you run into a problem. And please buy and read Greg Knaddison's book, it is a critical source of information for all Drupal users, no matter your skill set.

Thanks For Reading!

Did you find this post entertaining, useful, or interesting? Please repost, retweet, or redistribute to any of the social sites of your choice, and please subscribe to our RSS feed for daily fodder. For every RSS subscription Volacci gets, a kitten earns its whiskers. You like kittens, don’t you? Do the right thing, then. Subscribe.

We also are very interested in what you have to say in response to this blog post. As always we are very grateful for you, our reader, and greatly value your input. Please start a conversation with a comment below.