With a team of experienced developers constantly working to fix bugs and security issues, Drupal can be considered as a secure CMS. However, no amount of updates and upgrades will resolve security issues that are caused by ignorance or negligence on the part of the website owner. Here are a few simple tips that you as a Drupal site owner should bear in mind.
1. All the core files and modules must be kept up-to-date.
By doing so, you’re protecting your website from attacks since some of the bugs and security issues in the previous versions have already been fixed in the new one. So that you can upgrade on time, it’s better if you subscribe to drupal.org’s security mailing list.
Don’t upgrade your modules to development versions. The “dev” mark means that a certain module isn’t as secure as a production-grade version and hasn’t gone through extensive security checks.
When you’re planning to install a new module or update your existing one, make sure that you read through the bug reports so you’d know how many issues it has and if developers are working on solving those issues.
2. Secure your login.
One of the Drupal modules that you can use is the Secure Pages module. This redirects pages to their SSL version. Hence, when you’re logging in, creating content, or administering the site, you can be sure that everything is being done on a secure page. If you ignore this tip, all sensitive information (i.e. usernames, passwords, etc.) are unencrypted, meaning they can be easily stolen by hackers.
3. Change passwords often.
Designate new passwords to important accounts – user1, databases, admin, ftp – at least once every three months.
4. Restrict what can be uploaded.
The Upload module is a core module, meaning every Drupal site has it. It allows users to upload files (i.e. images) that are part of their content. If you have it enabled, make sure that you limit the types of files that they can upload. Go to Administer > Site configuration > File uploads.