If your Drupal website is delivering content to other third party sites through web syndication mechanisms like the RSS feed you need to purify the HTML markup before delivering it to them to prevent an XSS attack on those sites through your feeds. Read on to know how to programmatically purify the contents of your Drupal website's feed .
Drupal is inherently secure but as with most secure systems there will always be a few security loopholes that could be utilized by a user with malicious intent to bring down the whole site. As usual most of these security flaws lie mostly with the admin users of the website. We have listed down the top 7 security mistakes commonly found in a Drupal website which can be easily rectified by using a simple Drupal Security Checklist. The easiest way to ensure that your Drupal site is build safe is to have it built by experts. Contact Us to build your drupal site for you.
- By anoopjohn on June 29, 2012 - 15:02
- Access Control
Apache allows you to protect contents of specific directories in your website or the whole website from unauthorized access using a mechanism called httpd password protection. During development of new sites the partially built sites are protected from unauthorized access using httpd authentication. This could sometimes interfere with testing of integration with third party services that might expect some of your URLs to be accessible without authentication. Here is how you can exclude a given file or directory from httpd authentication
- By Deepa on June 15, 2012 - 18:30
- Access Control
Password-protecting drupal development site with .htaccess file
There might be few scenarios when we need to protect our site from the general public and make it accessible to a selected group of users. One of the most common scenarios in the development workflow of a Drupal site is when you want to avoid your half-complete drupal site showing up in Google search results.For such needs, it is advisable to go for password-protecting the site using HTTP authentication.
If you have cPanel installed on your hosting server, you can use the ‘Password Protect Directories’ option from the ‘Security’ section on the cPanel home page. Click here to read on How to enable HTTP Authentication using cPanel (link to an article for the same on our site)
For those without cPanel, here’s how to get Apache work your way:
Once in a while you will come across a Drupal site where you have to login to the site without having access to the credentials of user 1. You can easily reset the password of user 1 directly in the database or you can create a small work around to login to the site. Here is how you can login to the Drupal 7 site programmatically as user 1 without knowing user 1 credentials.
If you have a Drupal 6 site where you have access to the ftp account but not to the user 1 credentials here is how you can login programmatially to the site as user 1 without resetting the user 1 password. Now that you know that this is possible, remember to not give ftp access to users who do not have access to user 1 credentials as well.
Frequently we come across Drupal sites (live or testing) where the user 1 passwords are not known to the owner of the site. You can retrieve the password by changing the email address of user 1 to your email address and then use the forgot password option to reset your password. But if you don't want to change the user 1 email address but instead just want to change the password of user 1 there is an easier alternative via the database.
Have you ever thought about the security of your Drupal website on the web? If not, it’s high time you did that. Either be the case, here’s a simple checklist to make sure you have the essentials ready:
To ensure the security of confidential data in your Drupal site, testing has to be done to determine whether it protects its data and at the same time maintains its functionality. Web applications are always prone to unauthorized access to or modification of sensitive information. The testing done on the applications to remove such anomalies is called security testing.
Drupal is supposed to be a very secure CMS and the Drupal security team is a highly efficient team of people scouting the Drupal camp to find and sort out security issues as soon as they crop up. But no amount of programming will fix security issues caused by incorrect configuration of a Drupal site. Here is a checklist of items that you have to confirm after you deploy a new Drupal installation.
