Drupal Security Tutorial
How to secure Drupal
In this tutorial we'll make some suggestions on how to make your Drupal site more secure. The order in which the suggestions are listed is not related to their importance in terms of security.
Block Access to Directories and Files
You can block access to files and directories on your Drupal hosting account, so that visitors won't be able to open them.
Drupal has some rules related to this in the default .htaccess file that comes with the installation package. These rules block access to different files and folders that are required for the normal functioning of the application but visitors and users don't need to have direct access to them. So in this respect your Drupal installation is secure without the need for you to do anything additional.
You can block access to any folder on your hosting account by putting a simple rule in an .htaccess file in that folder. For more information on how to do it read the article on blocking access to folders on your hosting account.
Passwords
For a password for your admin account (the first account that's created during the installation) use a random combination of upper and lower case letters, numbers and symbols, and make it at least eight characters in length (e.g. L8~dP*y+F).
You can also impose rules on the passwords that registered users can have. You can do this by using a third party module like Password Policy. You can set a minimum length of the password and the minimum number of letters, digits, punctuation characters, etc.; you can also set various other password rules.
Backup
Whatever you do, perform regular backups of the database used by your Drupal installation and of the Drupal files on your hosting account.
In the worst case scenario that something happens to your site, having an uncompromised backup copy of the database and the files will make restoring your site easy. It's recommended that you keep several backups from different dates. You can back up the MySQL database by using phpMyAdmin, or alternatively you can do it through SSH. To back up the files, you can download them from your Drupal hosting account to your local computer with an FTP client. Of course, you can also do that through SSH.
For more details on how to perform a backup check out the tutorial on backing up your site. If you want to do it through SSH, you may find useful the articles on exporting a MySQL database via SSH and on downloading and uploading files via SSH.
Update
When there's a new stable Drupal version, it's a good idea to update your current one. Updates have various performance and security improvements. If there's a new security update, make sure you install it as soon as possible.
By default, Drupal checks for updates automatically, so you'll be informed if there are new updates. You can always check from the admin panel of your Drupal. For that purpose and for editing the update settings you can use the Available updates report (admin>Reports tab>Available updates). For more details on reports check out the tutorial on managing Drupal reports.
Database
Although you can install many Drupal instances, as well as other web applications, in one database, it's recommended to use a separate database for each installation. It's also advisable to use a different user with a different password for each database. You can create databases and create and assign users to them from the Databases section of the HostKnox control panel.
File Permissions
All HostKnox servers automatically set the permissions on your hosting account to 755 (rwxr-xr-x) for folders and to 644 (rw-r--r--) for files. These are the correct permissions that you need. After you install Drupal on your account most files and folders will have these permissions by default. There are a few exceptions. Some exceptions are the default directory and the settings.php file which Drupal sets automatically to have the permissions of respectively 555 and 444 for better security. If, for example, your Drupal is installed directly in the public_html directory on your hosting account, the path to them would be public_html/sites/default and public_html/sites/default/settings.php. Files and images that you've uploaded through the admin panel of your Drupal may have permissions of 664. These are also acceptable permissions. By default, they are saved in public_html/sites/default/files on your hosting account. Some folders inside public_html/sites/default/files might have permissions of 775 which is also fine.
The important thing is not to have world-writable permissions such as 666 (rw-rw-rw-) and 777 (rwxrwxrwx). You can change permissions from the Files section of the HostKnox control panel or by using an FTP client. Of course, you can also change file and folder permissions through SSH. For more information on permissions you can also read the tutorial and file and folder permissions.
Modules
Install stable versions of third party/contributed modules. Don't install too many contributed modules because this may add more possibilities for security breaches. Install only modules that are useful for your site and that you need.
SSL Encryption
The SSL (Secure Sockets Layer) protocol is used for the safe transfer of sensitive information. It encrypts the transfer of data between the client (local computer) and the server, so that data is transferred through HTTPS instead of HTTP. To use SSL with your site, first you need to have a private SSL certificate. You can order one from the HostKnox client area.
You can encrypt the transfer just of sensitive information (e.g. user registrations and logins, transfer of credit card information, etc.), or you can encrypt all the transfer. Using only HTTPS, however, takes more resources and will slow down your site. It's recommended to use encryption only for the transfer of sensitive information. Once you have the SSL certificate you can use modules such as Secure Login to determine which sections of your site should use HTTPS.
Text Formats
By default, Drupal comes prepackaged with three text formats: plain text, filtered HTML and full HTML. The plain text format can be used by users belonging to any user role; the filtered HTML can be used by those belonging to the three preconfigured roles (anonymous users, registered users, administrators), and the full HTML format can be used only by administrators. Be careful with text formats; allow only users that you really trust to use the full HTML format.
With the filtered HTML format be careful if you add more allowed HTML tags to the ones that are already allowed by default. Be extra careful with allowing tags such as <img>, <script>, etc. In general, when allowing HTML tags for any text format, you should allow only trusted users to use these text formats.
Drupal also comes prepackaged with a core module called PHP filter. It's disabled by default. If you enable it, this will add a text format that can be used to execute PHP code. This is a very dangerous function that can cause serious security problems. By default, when this text format is added no user role is allowed to use it. If you allow somebody to use it, it has to be a person that you really trust and that knows exactly what they're doing.
For more details on text formats check out the tutorial on managing Drupal text formats.
User Registration
After you install Drupal, the user registration settings are preconfigured in such a way so that administrator approval is required and email verification is required too. This means that after a user registers their account has to be activated by an administrator. Once that is done, the user will receive an email with a one-time temporary password. Then the user can register using the link in the email and set their own password. To manage these settings, log in to the admin panel of your Drupal and go to Configuration tab>Account settings. For more information on user settings check out the tutorial on managing users in Drupal.
For better security it's recommended to keep these settings enabled. Otherwise, you can disable email verification and admin approval but that means less control and poorer security. If you want to, you can also include additional required fields on the registration form. You can do this to discourage some of the human spammers from registering and to help you stop spam bots. For more information on how to do it read the article on adding fields on the registration form in Drupal. You can also find useful the tutorial on managing Drupal fields.
You can also use a module such as CAPTCHA to include additional tasks on the registration form, as well as on the comment, contact, and user login forms, to make it more difficult for spam bots. You can find different spam protection modules in the modules section of the official Drupal site.
User Roles and Permissions
The Drupal system of roles and permissions allows you to control what users can do on your site. Assign roles with more permissions only to trusted users. You have to be carefully specifically with the administering permissions and especially with administer users and administer roles. For more details on roles and permissions check out the tutorial on managing user roles and permissions in Drupal.
If there's a user, whether registered or anonymous, that causes troubles and you want to ban them from your site, you can use the built-in Drupal function for blocking IP addresses. To use it, in the admin panel of your Drupal go to Configuration tab>IP address blocking.
Guest Posting
By default, the Drupal permissions are configured in a way so that visitors/unregistered users can't post comments. They can only view them. In terms of security it's recommended not to give them that permission. If, however, you decide to let guests post comments, use some spam prevention module such as CAPTCHA to minimize the chances of spam bots posting on your site.
Display of Errors
Drupal is preconfigured to display error messages by default. Thus, when there's a problem it shows the path to the file on your hosting account that causes the problem and the line(s) within that file. Or it can also display an SQL error message. This can be helpful when building a site but it's not recommended once the site is open to visitors. To disable the display of errors, log in to the admin panel of your Drupal, click on the Configuration tab and on the page that opens click on Logging and errors (in the Development section). On the following page mark the button None that's under Error messages to display and click on the Save configuration button.