Abstract image of a woman sitting on books and studying on a laptop

Keeping your Drupal site secure 2013

Download as ODP, PDF
S
scorlosquet

This document discusses keeping Drupal sites secure. It recommends using HTTPS, SSH, strong passwords, and limiting permissions. Drupal 7 introduced stronger password hashing and login flood control. Modules can enhance security, and hosted options like Pantheon focus on security updates. Site maintainers should follow best practices, take backups, and sanitize shared backups. Drupal 8 introduces Twig templating to prevent PHP execution and filters uploaded images to the same site. References are provided for further security information.

1 of 14
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Keeping your Drupal Site Secure Stéphane Corlosquet scorlosquet@gmail.com Training at BADCamp October, 2013
General tips ● Use HTTPS, SSH, SFTP ● Strong password policy ● Server – LAMP stack ● Require SSH keys ● Roles and permissions ● Keep your site settings secure – – – Permissions Text formats PHP filter
Drupal 7 ● Stronger password hashing / salt ● Login flood control – ● Protected cron – ● prevents brute-force credential guessing prevents Denial of Service attacks Update manager – Update module from the web UI
Modules enhancing security ● Secure login ● Password policy ● Paranoia ● Hacked! ● Permissions Lock
Drupal specific hosting ● Can your hosting provider help you improve your security process? ● ● ● Insight (part of Acquia Cloud hosting) Pantheon (self-service security updates) Tuned for Drupal security (and performance) ● Code, DB, uploaded files, config ● Managed security updates: – Remote administration (Acquia)
Security process ● Ongoing maintenance ● Cost ● Managed hosting ● Drupal.org packaging infrastructure
Security process ● Drupal Security Team ● Keep Drupal code secure in core and contrib ● Educate the community on security best practices – – – – ● Developers Site builders Site administrators and users Decision makers Security Advisory for every security release
Security process
Developers & site maintainers ● Follow Drupal APIs and best practices ● Take & verify backups ● Sanitize backups for sharing
Cross Site Scripting
Drupal 8 ● Twig as templating language – – ● WYSIWYG in core – – ● Automatically sanitizes strings on output No PHP in templates Streamlined filter mechanism (server and client side) No more full HTML as last resort Local image input filter – Only allow images from same site
Book on Security in Drupal
References ● DGD7 chapter 6 ● http://drupal.org/security ● http://www.drupalscout.com/ ● http://groups.drupal.org/best-practices-drupal-security
Thanks! ● Stéphane Corlosquet: – – – scorlosquet@gmail.com @scorlosquet http://openspring.net/

More Related Content

PDF
Security - Drupal Decision Makers training
scorlosquet
 
PPTX
Nginx [engine x] and you (and WordPress)
Justin Foell
 
PPTX
Selfhosted Hosting
Martin Huber
 
PDF
Стажировка 2015. Разработка. Занятие 5. Использование nginx
7bits
 
DOCX
ATUL UPADHYAY ADMIN
ATUL UPADHYAY
 
PDF
Schema.org & Drupal (FR)
scorlosquet
 
PDF
Drupal 7 and schema.org module (Jan 2012)
scorlosquet
 
PDF
Using schema.org to improve SEO
scorlosquet
 
Security - Drupal Decision Makers training
scorlosquet
 
Nginx [engine x] and you (and WordPress)
Justin Foell
 
Selfhosted Hosting
Martin Huber
 
Стажировка 2015. Разработка. Занятие 5. Использование nginx
7bits
 
ATUL UPADHYAY ADMIN
ATUL UPADHYAY
 
Schema.org & Drupal (FR)
scorlosquet
 
Drupal 7 and schema.org module (Jan 2012)
scorlosquet
 
Using schema.org to improve SEO
scorlosquet
 

Similar to Keeping your Drupal site secure 2013(20)

PDF
Drupal and Security: What You Need to Know
Acquia
 
KEY
Drupal Security Intro
Cash Williams
 
PDF
Drupal and security - Advice for Site Builders and Coders
Arunkumar Kupppuswamy
 
PDF
Doing Drupal security right from Drupalcon London
Gábor Hojtsy
 
PDF
Understanding and implementing website security
Drew Gorton
 
PDF
Doing Drupal security right
Gábor Hojtsy
 
PDF
Drupal Security Seminar
Calibrate
 
PDF
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Ann Lam
 
PDF
Hong Kong Drupal User Group - Nov 8th
Wong Hoi Sing Edison
 
PDF
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Ann Lam
 
PDF
Hack proof your drupal site- DrupalCamp Hyderabad
Naveen Valecha
 
PDF
Drupal Security from Drupalcamp Bratislava
Gábor Hojtsy
 
PDF
Understanding and Implementing Website Security
Drew Gorton
 
ODP
Drupal Security Hardening
Gerald Villorente
 
ODP
Drupal Security Hardening
Gerald Villorente
 
PDF
Drupal security
Jozef Toth
 
PDF
Tips on Securing Drupal Sites
cgmonroe
 
PDF
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
cgmonroe
 
PPTX
Drupal Security: What You Need to Know
Mediacurrent
 
PDF
Attacking Drupal
Greg Foss
 
Drupal and Security: What You Need to Know
Acquia
 
Drupal Security Intro
Cash Williams
 
Drupal and security - Advice for Site Builders and Coders
Arunkumar Kupppuswamy
 
Doing Drupal security right from Drupalcon London
Gábor Hojtsy
 
Understanding and implementing website security
Drew Gorton
 
Doing Drupal security right
Gábor Hojtsy
 
Drupal Security Seminar
Calibrate
 
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Ann Lam
 
Hong Kong Drupal User Group - Nov 8th
Wong Hoi Sing Edison
 
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Ann Lam
 
Hack proof your drupal site- DrupalCamp Hyderabad
Naveen Valecha
 
Drupal Security from Drupalcamp Bratislava
Gábor Hojtsy
 
Understanding and Implementing Website Security
Drew Gorton
 
Drupal Security Hardening
Gerald Villorente
 
Drupal Security Hardening
Gerald Villorente
 
Drupal security
Jozef Toth
 
Tips on Securing Drupal Sites
cgmonroe
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
cgmonroe
 
Drupal Security: What You Need to Know
Mediacurrent
 
Attacking Drupal
Greg Foss
 

More from scorlosquet(15)

PDF
DrupalCamp NJ 2014 Solr and Schema.org
scorlosquet
 
PDF
The Future of Search and SEO in Drupal
scorlosquet
 
PDF
Drupal and the Semantic Web - ESIP Webinar
scorlosquet
 
PDF
The Semantic Web and Drupal 7 - Loja 2013
scorlosquet
 
PDF
Drupal as a Semantic Web platform - ISWC 2012
scorlosquet
 
PDF
Slides semantic web and Drupal 7 NYCCamp 2012
scorlosquet
 
PDF
Data strategies - Drupal Decision Makers training
scorlosquet
 
PDF
Drupal and the semantic web - SemTechBiz 2012
scorlosquet
 
PDF
Drupal 7 and schema.org module
scorlosquet
 
PDF
Drupal 7 and RDF
scorlosquet
 
PDF
How to Build Linked Data Sites with Drupal 7 and RDFa
scorlosquet
 
KEY
RDF presentation at DrupalCon San Francisco 2010
scorlosquet
 
PDF
Drupal and RDF
scorlosquet
 
PDF
When Drupal and RDF meet
scorlosquet
 
PDF
Produce and Consume Linked Data with Drupal!
scorlosquet
 
DrupalCamp NJ 2014 Solr and Schema.org
scorlosquet
 
The Future of Search and SEO in Drupal
scorlosquet
 
Drupal and the Semantic Web - ESIP Webinar
scorlosquet
 
The Semantic Web and Drupal 7 - Loja 2013
scorlosquet
 
Drupal as a Semantic Web platform - ISWC 2012
scorlosquet
 
Slides semantic web and Drupal 7 NYCCamp 2012
scorlosquet
 
Data strategies - Drupal Decision Makers training
scorlosquet
 
Drupal and the semantic web - SemTechBiz 2012
scorlosquet
 
Drupal 7 and schema.org module
scorlosquet
 
Drupal 7 and RDF
scorlosquet
 
How to Build Linked Data Sites with Drupal 7 and RDFa
scorlosquet
 
RDF presentation at DrupalCon San Francisco 2010
scorlosquet
 
Drupal and RDF
scorlosquet
 
When Drupal and RDF meet
scorlosquet
 
Produce and Consume Linked Data with Drupal!
scorlosquet
 

Recently uploaded(20)

PDF
Module 1 - COMMUNICATION SATELLITEScrev (5).pdf
NacerBaouche
 
PDF
Domain-specific knowledge and context in large language models: challenges, c...
IAESIJAI
 
PDF
Addressing the challenges of harmonizing law and artificial intelligence tech...
IAESIJAI
 
PDF
Revolutionizing recommendations a survey: a comprehensive exploration of mode...
IAESIJAI
 
PDF
EGCB_Solar_Project_Presentation_and Finalcial Analysis.pdf
TaukirIslam
 
PPTX
Strategic Picks — Prioritising the Right Agentic Use Cases [2/6]
suhanisingh58689
 
PPTX
Presentation.pptx agriculture technology
manishsinghup9305
 
PPTX
AQUEEL MUSHTAQUE FAKIH COMPUTER CENTER .
nachanmasarrat13
 
PDF
“Introduction to Designing with AI Agents,” a Presentation from Amazon Web Se...
Edge AI and Vision Alliance
 
PDF
TicketRoot: Event Tech Solutions Deck 2025
TicketRoot
 
PDF
1_Keynote_Breaking Barriers_한계를 넘어서_Charith Mendis.pdf
AWS Korea 금융산업팀
 
PDF
CCUS-as-the-Missing-Link-to-Net-Zero_AksCurious.pdf
AkarshaSrivastava1
 
PDF
13 Powerful n8n Alternatives That Will Transform Your Workflow Automation Gam...
SOFTTECHHUB
 
PDF
Be ready for tomorrow’s needs with a longer-lasting, higher-performing PC
Principled Technologies
 
PPTX
Rise of the Digital Control Grid Zeee Media and Hope and Tivon FTWProject.com
hopegirl587
 
PDF
NewMind AI Journal Monthly Chronicles - August 2025
NewMind AI
 
PDF
Rooftops detection with YOLOv8 from aerial imagery and a brief review on roof...
IAESIJAI
 
PPTX
From XAI to XEE through Influence and Provenance.Controlling model fairness o...
Paolo Missier
 
PDF
Advancements in abstractive text summarization: a deep learning approach
IAESIJAI
 
PDF
Peak of Data & AI Encore: Scalable Design & Infrastructure
Safe Software
 
Module 1 - COMMUNICATION SATELLITEScrev (5).pdf
NacerBaouche
 
Domain-specific knowledge and context in large language models: challenges, c...
IAESIJAI
 
Addressing the challenges of harmonizing law and artificial intelligence tech...
IAESIJAI
 
Revolutionizing recommendations a survey: a comprehensive exploration of mode...
IAESIJAI
 
EGCB_Solar_Project_Presentation_and Finalcial Analysis.pdf
TaukirIslam
 
Strategic Picks — Prioritising the Right Agentic Use Cases [2/6]
suhanisingh58689
 
Presentation.pptx agriculture technology
manishsinghup9305
 
AQUEEL MUSHTAQUE FAKIH COMPUTER CENTER .
nachanmasarrat13
 
“Introduction to Designing with AI Agents,” a Presentation from Amazon Web Se...
Edge AI and Vision Alliance
 
TicketRoot: Event Tech Solutions Deck 2025
TicketRoot
 
1_Keynote_Breaking Barriers_한계를 넘어서_Charith Mendis.pdf
AWS Korea 금융산업팀
 
CCUS-as-the-Missing-Link-to-Net-Zero_AksCurious.pdf
AkarshaSrivastava1
 
13 Powerful n8n Alternatives That Will Transform Your Workflow Automation Gam...
SOFTTECHHUB
 
Be ready for tomorrow’s needs with a longer-lasting, higher-performing PC
Principled Technologies
 
Rise of the Digital Control Grid Zeee Media and Hope and Tivon FTWProject.com
hopegirl587
 
NewMind AI Journal Monthly Chronicles - August 2025
NewMind AI
 
Rooftops detection with YOLOv8 from aerial imagery and a brief review on roof...
IAESIJAI
 
From XAI to XEE through Influence and Provenance.Controlling model fairness o...
Paolo Missier
 
Advancements in abstractive text summarization: a deep learning approach
IAESIJAI
 
Peak of Data & AI Encore: Scalable Design & Infrastructure
Safe Software
 

Keeping your Drupal site secure 2013