Top 7 Security mistakes found in Drupal sites

By | 17th Sep 2012 | 4 min read

Drupal is inherently secure but as with most secure systems there will always be a few security loopholes that could be utilized by a user with malicious intent to bring down the whole site. As usual most of these security flaws lie mostly with the admin users of the website. We have listed down the top 7 security mistakes commonly found in a Drupal website which can be easily rectified by using a simple Drupal Security Checklist. The easiest way to ensure that your Drupal site is build safe is to have it built by experts. Contact Us to build your drupal site for you.

Failure to set a strong admin password

The is is the Achilles Heel of all web security systems and is not specific to Drupal itself. What separates the admin user from the rest of the web is a piece of alphanumeric text - the password. If the admin password is weak, formed from some commonly used password then any negligibly competent attacker can gain complete control over the system. Weak passwords are a gargantuan security flaw as it can bypass all other security systems put in place by Drupal as if it were non existent.

Make sure that all admin passwords are cryptic, build using a combination of numeric characters, symbols, upper case and lower case text. The should never contain meaningful words, important dates names and telephone numbers and should be kept as long as possible.

Failure to review user permissions

This is another security mistake commonly found in Drupal websites . The Drupal user permission system makes it extremely easy to manage user permissions and define user roles. However this also means that unauthorized users might be given unnecessary permissions by oversight enabling malicious users to gain access to the whole system.

Make sure that anonymous users are given only the minimum set of required permissions. Classifying authorized users based on their roles and assigning them only the required permissions will increase site security if an attacker manages to create an account in the website.

Failure to review user creation settings

The is yet another potential security flaw commonly found in Drupal websites. Users should not be given the permission to create accounts as it is a potential security vulnerability. Malicious users can create an account and if authorized users are given unnecessary permissions in a Drupal website they can cause a malicious event to happen.

Verify that all account creation settings are as intended.

Failure to update core and contrib modules to the latest version.

Failure to update all the modules in a Drupal site to their latest version is yet another security vulnerability. The Drupal community ensures that all of the security vulnerabilities are fixed whenever as soon as they are discovered.

Make sure that the Core and Contrib modules in a Drupal site are always updated to the latest version whenever they are available.

Failure to monitor status reports

Monitoring status reports in Drupal website is vital to security as they can reveal potential security flaws and happenings on a website. They can indicate the presence of DDOS attacks, spammers or if someone is trying to access a Drupal site with malicious intent.

Status reports should be periodically verified to see that they are free from warnings and errors.

Failure to disable on-screen error reporting

While developing a Drupal website getting to know relevant messages via on screen error reporting is extremely helpful in speeding up development. This should be disabled in productions sites as it could reveal info associated with the database of a Drupal website to an reasonably experienced hacked leading to a security flaw and besides it looks bad on a production system.

Leaving SQL dumps and file dumps in the webroot

It is a good practice to take a backup of a working site before you make changes to the site. However it is an extremely bad practice to keep the backups in the webroot or in subfolders which are directly accessible from the web. Because the backup files would normally have extensions that are not caught by .htaccess these files can potentially be available from the web. The security risk increases several fold if you keep dumps of the database right in the web folder itself. Developers should ensure that they do not leave any backup files or database dumps in the webroot or sub folders. Besides backups are to be kept locally and not on the web servers.

Source: Drupal Security Checklist