Drupal End User Security

Posted By admin / December 7, 2011

Securing Your Website

What is security? Well, a good definition of security is protecting things of value from harm’s way. When applying that definition to a website, one may contemplate whether or not any site is really secure. The fact of the matter is that there can and will never be zero risks online. The key is to minimize risk as much as possible.

As an owner of a website that runs the Drupal content management system, there are several tips that you can follow which will help you minimize the security risk for both you and your visitors. Always think in the long term, and remember that information security is everyone’s responsibility.

The first place to start minimizing your security risk is at your local workstation. Your personal machine is and should be, everything to you. It needs to be protected. Always keep this computer up to date with the newest updates or patches. Using automatic updates is perfect for this. A solid anti-virus software is needed too. Always make sure that the virus definitions are kept current.

Now that you know your computer is secure, you will want to make sure your internet connection is unable to be monitored. A secure sockets layer is definitely a best practice, especially when using an unverified connection. Using HTTPS is the best way to ensure that your traffic is being passed along without being captured by an unauthorized third party.

Login Security

When logging into your Drupal site, you should consider a sFTP/SSH client over classic FTP. FTP credentials are passed unencrypted when logging into your site. This has obvious security issues. If you must use the classic FTP, always make sure to deny anonymous login, and never store your credentials on the client itself.

Speaking of credentials, there are some key tips when it comes to passwords that you should know about. Change your passwords regularly. Never share them with anyone. It is best to memorize your passwords, but you can always use password management software to do that for you. To remain super secure, try using a passphrase instead of a password. A passphrase is usually 8 or more characters in length and combines letters, numbers, and special characters.

Find the Right Hosting

Before you actually build your site, you should take a good hard look at where you plan on getting your hosting. Cheap hosting doesn’t mean it’s secure. You may end up on a server that is shared with malicious sites. You could be with a host that doesn’t update software regularly or stores account credentials in an unsecured way. Quality hosting is important!

When it comes to security on the Drupal platform, there’s a lot to know. Generally, you will want to always update to the newest version of the platform. Keeping your modules updated is important as well. If you’re having an issue with the platform or a module, research the problem prior to trying to fix it yourself. There is probably a patch created for it.

Add the following code to force HTTPS on login:

Define(‘FORCE_SSL_LOGIN’,true);

Additional Measures

Make sure to White List only the IP addresses that are allowed to access the admin backend. This is a surefire way to keep any unauthorized party out of your dashboard.
When searching for templates and modules, only download from known and trusted sources. Search engines are great for finding a ton of information. However, not all the information that you find is secure. Stick to sources that are well trusted in the community.

Change the default ADMIN username to something of your choosing. This is like adding a second password to your account essentially. The best way to do this is to create a new account within your Drupal site. Assign this account Administrator rights. Log out and log back in with the new account name. Finally, delete the ADMIN account.
As you can see, it does take some work to be a secure webmaster. Thankfully, most of the tasks involved are very easy to accomplish and become second nature once you have done them a few times. Always remember that your website is a long-term investment. It is best that you keep it secure for the sake of yourself and your visitors!