Drupal is supposed to be a very secure CMS and the Drupal security team is a highly efficient team of people scouting the Drupal camp to find and sort out security issues as soon as they crop up. But no amount of programming will fix security issues caused by incorrect configuration of a Drupal site. Here is a checklist of items that you have to confirm after you deploy a new Drupal installation.
- Check that your user 1 passwords are secure
- Check that your forms are protected by some CAPTCHA, especially your login forms
- Check that Drupal Core and contrib modules are the latest versions
- Turn off on-screen error reporting at admin/settings/error-reporting
- Verify the permissions that have been given to anonymous and authenticated users
- Ensure that anonymous users do not have access to problematic input formats like PHP, Full HTML
- On the User Settings page, verify that account creation settings are as you intended it to be. If you are not looking to get users log into your site ensure that user registration is turned off
- Check Reports » Status report and make sure there are no warnings or errors
- Check that you had taken out the write permissions on settings.php
- Check that the files folder is owned by apache user and that you had not set 777 for files folder
If you need an expert to check your Drupal security configuration do get in touch with us and we will be happy to look into this for you.