Today in this post I will share some tips to protect your drupal site. Nowadays one of the most renowned free and open-source platforms for web content and user communities is Drupal . Though fame is a pretty nice thing, sometimes it brings not only success, but also troubles. And Drupal can prove it, as due to this fact all Drupal powered websites have become victims of hackers trying to break them. For this reason I find it rather important to inform you how to protect Drupal sites. In this article I have gathered all possible tips which can prevent from hackers’ attacks, or at least their atrocious consequences.
The first thing I would probably pinpoint your attention upon is hosting. While you are looking for a web host, remember that Drupal has got a nice compatibility and it can operate well on web servers which support PHP and MySQL database. However it doesn’t mean that all of them have got the same security level. Therefore before choosing a hosting company you can really count on, carry your own little investigation. You can consult with the representatives of Drupal Support, for instance, and find out what companies use progressive technologies like firewalls, SSL and SSH, and can guarantee you an adequate protection.
Why do people buy new things? The answer is simple enough – they are better. Their quality, form and functions are up-to-date and all this stuff can’t but make you become their owner. Imagine that Drupal is a car and from time to time you need to change its tires in order to steer clear of any kind of an accident. The same is with Drupal itself – it needs an upgrade for a high-quality work. That is why if there is an upgraded version of the system (both Drupal core and Drupal modules), don’t delay to get it – maybe it will save you from an odious cracker planning to authorize your site. The point is that when the new version is out, the hacking patch of the old one becomes automatically public. Consequently, there is a green light for virtual trespassers.
Nevertheless, while upgrading, keep in mind that there is a set of rules to follow in order to achieve the best result. The first thing to do is to make a copy of your data base every time you are going to upgrade. The next step includes the change of your mode into off-line. Then download Drupal’s brand-new version and upload it to the root of a necessary website. In case you’ve got some changes in such files as .htaccess, supplicate them with the new files you’ve just downloaded. The other way to run upgrade is to use Drush Site Upgrade, which helps you to get the upgraded Drupal install and its modules.
However, if you are likely to forget about upgrading, the best way to prevent attacks is to remove the CHANGELOG.txt file that comes with the installation. In this case no one will know the exact version of your Drupal core and modules.
It is also important to check whether everything goes well getting a look at the Status Report page. This section will inform you about all the slightest changes which happen in the work of your system and it will also warn you about the hacking attempts. Besides, The Status Report will remind you when it’s time to get the newest upgrade to give your website a maximum protection. Just don’t forget to do it regularly.
What do you do with the things you do not use and need anymore? Right! You throw them away. Do the same with the unused modules, because they turn into the risk factor which attracts crackers. Besides, this will help you to decrease maintenance time and avoid such unpleasant processes like the slow down of the Drupal system and its installation. That is why during the upgrading process, delete those modules, which are not active.
There is no doubt that administrator permission plays one of the key roles in the protection strategy. Choose only those people whom you trust, especially if it concerns an editor and users who’ve got an access to your Drupal install, host’s control panel and other files. In case you can’t trust this person 100% – use some limits of his/her actions. One more piece of advice presupposes a careful email procedure, in which you do not send any passwords. Moreover, if you are not eager to let somebody write or run scripts on your blog, choose “CHMOD” in the FTP program (if your server allows this, of course) in order to see the current permissions and restrict the access to the important files.
Another issue to take care of is a login operation. One of the ways to make this process secure is to limit the number of invalid login attempts. So if you have noticed any hackers trying to break your site, you’d better ban their IP addresses either permanently or temporarily. This option is available while using one of the Drupal modules, namely Login Security. In fact, it is a scrumptious tool which is worth of special mentioning. Login Security restricts access attempts and it informs the users, who became crackers’ targets that there’s something wrong with their logins, like password brute forcing and account information guessing.
For further security do not disregard the importance of the strong passwords, whatever trite and repetitive it may sound. No phone numbers, birthday dates or simple words which are easy to decode. Strange as it may seem, but the best way is to be illogical, because then it’s rather difficult to predict and guess what combination of letters and numbers you’ve chosen. You can also use Password Policy to make sure your password is really safe.
In order to get protection against the bad submissions from spambots use Completely Automated Public Turing test, i.e. CAPTCHA, which tells computers and humans apart. The principle of its work presupposes a composing of random letters and numbers which have to be entered by people.
Whatever protection you’ve got, there is always a chance to be cracked. That is why to be on the safe side, you need to get ready for any kind of emergency before it will happen. Fortunately, Drupal has got several modules which together create a good Plan B. The first module is Security Review which probes for weak spots and helps to remove them. Backup and Migrate is your second must-have. This module makes it possible to schedule backups and make an import of the saved database.