How to keep your Drupal website secure

27.06.18 IT / Drupal 2639

Drupal is happy with the secure CMS , but some additional security measures need to be taken. This can be done directly after installing the system, which is highly recommended, or at the current production site. It is important to do this, as further security of the site depends on it.

There is even a whole separate area in IT technologies - information security. This is no accident, because nowadays, security is really important. Some of the most important steps to secure your Drupal site are:

• select and install only the latest kernels, modules and themes. This is the only way to prevent a site from being hacked with the help of well-known vulnerabilities, because as soon as an update is released, it describes a hacking method, anyone can take advantage of this and take over your site. You should not choose old versions, even if they have unique functionality or design, security is more important;
• delete unnecessary files from the root directory that can help an attacker get information about your site, these are "CHANGELOG.txt", "COPYRIGHT.txt", "INSTALL.txt", "LICENSE.txt", "MAINTAINERS.txt" , "README.txt", "UPGRADE.txt". You can safely delete them, it will not damage the site;
• remove an entry of the form " meta name =" Generator "content =" Drupal 7 (http://drupal.org) "" from the source code of the page. Also important for security, how to do this can be easily found in the search;
• check and set rights to Drupal folders and files : all folders - 750 (755), all files - 640 (644), / sites / default - 550 (750), / sites / default /settings.php - 440 (444), / sites / default / files including subfolders - 770 (775), files - 660 (664). Additional softer options are indicated in brackets, if suddenly the hosting does not allow installing the main ones;
• enable automatic check for updates so that as soon as an update is released, instantly install it in manual or automatic mode;
• it is important to think over how the data will be backed up and restored, for example, you can install the Backup and Migrate module, or it is better to save and restore data yourself. Choose a hosting on which backups are stored for at least a month, as you may find out late that the site has been hacked - then you will have to spend a lot of time and effort on manual data recovery. Also, you will first have to find and fix the vulnerability so that the hack does not repeat itself;
• set only complex passwords, both for access to the site admin panel and for ftp access. It is also important to have systems to prevent automatic password guessing, for example, install captcha on the site . If the passwords are not complex or have not been changed for a long time, it is important to change them as soon as possible.

Thus, we have reviewed the basic steps that need to be taken on the site to Drupal security settings . After completing them, the site's security level will increase significantly.