Drupal is recognized one of the most scalable and secure web development platform. There're milliions of global users and developers rely on it for various website purpose. The drupal core is already a well developped and safe system. Security issues are mainly from user end during operation process. Based user experience and professional suggestions, we carry out the following 6 tips in securing a drupal website.
Keep updated and backup regularly
The simple but crucial requirement. The drupal project is pretty active and provides frequent updates. Just follow this official guidance to update your drupal core to latest release. Since all drupal site date is stored in mysql database, so pay extreme attention to it.
Backup is also a MUST. As drupal official suggested, we should generate a backup before any update/upgrade in case anything goes wrong. Especially when you operate a business site that includes a lot of sensitive data, you should back up more frequently, probably schedule a daily solution.
Use a safe theme
Drupal is safe, but not all drupal themes are! There're tons of official and non-official drupal themes for different website requirements. We must use a trustable theme resource. A high quality drupal theme is not just able to beautify the website layouts but also come with professional and safe code design. Everything is tested and optimized before final release to make sure end users can use it safely. Those cracked or less trustable themes should be avoided for any reason.
Proper file permission
This refers to hosting account configuration in control panel. Make sure to set the correct file permission by following this official guidance. You can also configure to following recommended settings directly
/default on 755
/default/files including all subfolders and files on 755
/default/themes including all subfolders and files on 755
/default/modules including all subfolders and files on 755
/default/settings.php and /default/default.settings.php on 644
Incorrect permission settings will bring bit potential issues because hackers are very diligent in finding our website bugs.
Strong password is always suggested for all drupal sites. Not just for website password but for its backend mysql database and ftp password too. We should also pay attention to different website user accounts and make sure they get correct rights.
Sign up a protection service
Regulary scanning of our drupal sites can greatly reduce hacking opportunites. A trustable third party service can simplify the process by automatic schedules. From lots of drupal professionals experience, mollom is highly suggested by them. Especially for drupal sites that come with frequent interaction between the readers and authors, the mollom solution provides side by side protection such as the following
- Blocks spammy comments on any node, articles, pages, forum topics etc.
- Blocks contact form Spam.
- Protects the original user registration/subscription from fake user accounts.
- Protects user’s password request form
Use a reputable drupal hosting
A safe and drupal compatible hosting service is a must to power a successful site. Unlike many other open source cms softwares, drupal works a little different and requires extra server support to get everything working properly. Leading drupal hosting plans always provide newest server and customer support. They have great FAQ and video tutorials in using the software professionally