Knowledgebase

How to improve the security of your Drupal

Here are some tips on how to make your Drupal site more secure:

  • Protect files and directories on your Drupal hosting account. In the .htaccess file that comes with every Drupal installation package there are some rules for that. Simply don't remove them.
  • For your administrator account use a complex password. Use a random string of upper and lower case letters combined with numbers and symbols. You can also require users when registering to specify such a complex password; for this purpose you can use modules such as Password Policy.
  • Perform regular backups of the Drupal files on your hosting account and of the MySQL database used by the application.
  • Update your Drupal application when there's a new stable version.
  • Install your Drupal in a separate database and don't install other web applications in it. Use a different database user and password for each database.
  • Make sure that your Drupal files and folders don't have world-writable permissions such as 666 (rw-rw-rw-) and 777 (rwxrwxrwx).
  • Install only stable versions of third party modules (contributed modules), and install only modules that you really need.
  • Use SSL encryption to protect the transfer of sensitive information (e.g. passwords). To be able to use this security feature you need a private SSL certificate. You can purchase one from the HostKnox client area.
  • Allow only trusted users to use the full HTML text format. If you add allowed HTML tags to any other text format, make sure that you don't include tags that can cause security issues (e.g. <script>, <img>). Or simply give permission only to trusted users to use such a text format.
  • Keep the admin approval and email verification settings enabled for user registration. They are enabled by default. You can also add more required fields to the user registration form and you can include a visual challenge by using modules such as CAPTCHA.
  • Don't give unregistered users/visitors the permission to post comments. If you do, use some spam protection module such as the above mentioned CAPTCHA to protect you site from spam bots.
  • Be careful with user roles and permissions. Give administering permissions only to user roles that have trusted users assigned to them.
  • Disable the display of errors. You can do that from the admin panel of your Drupal (Configuration tab>Logging and errors).

For more details you can also check out the Drupal security tutorial.

Was this answer helpful?

 Print this Article

Also Read