Security has always been an important area for every website and same was discussed at DrupalCon Barcelona. The session started with an intro of the speakers and then about the Drupal Security issues. Here are some of the tips that were shared initially:
- https instead of http, ssh keys and sftp instead of ftp for file transfer
- Strong password policy
- Verify and sanitize database backups
Furthermore, security from site config was discussed:
- Make sure features like roles & permissions are configured properly as this can be a very sensitive area for hackers to gain access
- Text formats must be handled properly
- Remove and avoid any module that allows you to run PHP code from the UI. It must be totally removed from your codebase as well, so that there is no chance of running the PHP code in any case arbitrarily.
- File permissions must be set properly
You can also secure your site by using Drupal hosting providers/companies products. They provide tuned Drupal security and performance (code, db, config, uploaded files) and manage security updates as well.
Security can also be enforced by using contrib modules like secure login, paranoia, security review, and many more.
Sites can also be secured by following the security process that includes:
Coordinating with the Drupal Security team
Educating the community on security best practices
Copying the security advisory for every security release
Most common issues were -
- SQL injection
- Arbitrary code execution and more
Drupal 8 is going to implement a lot more hardening security:
- PDO MySQL statements limited to executing single statements
- PHP execution in subfolders is forbidden in .htaccess
- Clickjacking protection
- Hashed user session IDs