In our previous article, 13 Handpicked WordPress Plugins for Security, we focused on the ways you can make your WordPress platform more secure. In this article we will concentrate our attention on one of the other popular blogging platforms – Drupal. We will make sure that all the important steps for securing it and its most valuable additional modules are brought to your attention.
As Drupal usually comes with the entire LAMP (Linux, Apache, MySQL, and PHP/Perl/Python) set of modules, your first step in securing your server should be to make sure that you’re using the most up-to-date and secure versions of all these solutions. The probability of a successful hacking attempt against your site drops by something like 30% just by making sure that everything that can be updated is actually up to date.
The second thing you can do is to rely only on secure communication like SSH, sFTP, FTPS, and HTTPS. You better forget about the sniffing-friendly FTP, Telnet, HTTP, and Total Commander. You should also use strong passwords and back up your content regularly.
Something else worth mentioning is that most people think that open source programs are easier to hack. Well, experience shows that’s not really true. As the source code is open for anyone to review, there are many people who report problems and suggest improvements. All bugs are privately sent to the Drupal Security Team, which investigate them and propose solutions, usually by the means of Security Advisories (SAs). You can subscribe to such SAs so you can easily install them when they become available.
After the initial hardening procedures, you can always help yourself by using some of the security modules on the drupal.org site. They are all tested by the Drupal Security Team upon uploading and they are periodically reviewed upon indications of problems. Some of the modules worth mentioning are:
• Security review – gives you a summary of results against easily made mistakes when using Drupal. It checks for database errors, failed logins, usernames used as passwords, etc.
• Login security – allows you to limit the number of unsuccessful login attempts and set a policy when the limit is reached, i.e. blocking the user’s IP permanently or temporarily. It can be set to notify the administrator when a brute forcing attack is occurring.
• Update manager (or Update Status in Drupal 6) – automatically monitors for new versions of the Drupal software and the contributed modules and themes. You can monitor the log to see what updates are available or to set notifications.
• CAPTCHA – a very popular module that can be used to make users prove they’re human before allowing them to submit a comment or anything else. Using this module, you can eliminate the risks of spam bots filling up your site with unwanted content. The module asks you to enter a pattern of masked symbols to prove you understand them.
• Content Access – allows you to set a specific view for an author or a role. It can also be used for editing/deleting permissions for each content type. It uses the ACL module for operation.
• ACL – can’t be used by itself, as it has no user interface, but it provides an API (application programming interface) for other modules to create lists of users and to allow them access to nodes.