Securing Your Drupal Site

Drupal is a versatile content management system that is used for a wide variety of purposes on the web.  As one of the largest open source projects in the world, with thousands of developers contributing code, maintaing a proper security posture has become paramount. 

Drupal maintains a team of web security experts who are always on call to address any issues that may arise.  They are responsible for the security of thousands of government, health-care, and banking sites, so you can trust that Drupal takes security very seriously. 

Compare this with Microsoft SharePoint, with which many survey respondents who used the system reported that they were unaware of who was responsible for security.  SharePoint, incidentally, was running on the server from which Bradley Manning was accused of leaking hundreds of thousands of government documents to WikiLeaks.

Drupal's Defenses

While Drupal code is rigorously examined and tested, vulnerabilities do occasionally arise.  These are usually caused by using API's incorrectly.  This is how Drupal deals with some of the most critical security concerns facing web organizations.

Broken Authentication

Authentication and user account information is handled by the Drupal core, with sessions being destroyed upon logout.  Passwords are hashed and salted according to a Portable PHP Password Hashing Framework algorithm.

Cross Site Request Forgery

Drupal uses the Form API to protect against forgery.  Actions with side effects are typically handled with the HTTP POST method.  One-time tokens for validation are used for less important actions, while unique form tokens are used for more important actions.

SQL Injection

Drupal makes it more difficult to accidentally create injection holes by implementing a hardy object-oriented database API.  Safeguards are put in place to limit the areas where files can be written, and dangerous file extensions are automatically changed.

Maintaining Security

There are a number of things you can do to ensure that your web security is the best it can be.  Chief among these are keeping your system updated, as security enhancements and tests are frequently included in updates.

To stay current with the latest security updates, consider subscribing to the Drupal security email list.  This requires a Drupal profile, from which you can subscribe to the security newsletter.  A list of sent messages can be found on the security advisories page.  You can also find security advisories and other security news via the Drupal security Twitter account, @drupalsecurity.

To read and participate in a discussion of Drupal security best practices, see the discussion page here. 

For a fairly comprehensive guide on site security in general, see the security administration guide.  Included are sections on securing file permissions, enabling HTTPS, and frequently asked questions.

If you spot a security vulnerability within Drupal, the appropriate thing to do is report it to the Drupal security team.