Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By paul o brien on
We would like to use Drupal (survey.module) to collect patient-specific details at clinic visits. Only registered users would input data. Standard installation of Drupal.
How secure would the site be?
Is it difficult for hacker to login as admin?
How secure would the MySQL data be?
Should the dba.module be avoided?
Is it https necessary? https, as I understand, it only secures the transfer of data, which apparently is a lower risk than hacking the site.
What should we do to maximise the security of the site? We are more concerned with the clinic data than the site.
Comments
local or remote server?
is this going to be on a local server or remote?
I think you could address many security issues if it's on a local server, and you could even limit access (via apache settings) to just a few computers based on IP address.
---
Work: BioRAFT
Quite secure
As you might have seen, lately there was a new release because of a minor security hole. The drupal team cares much about security. There is a security team, which collect security issues reported by others and helps the authors to fix the holes.
Drupal is as secure as we can make it. If we discover a security hole, it is unpublished reported to the security team and they will deal with it. When the hole is fixed, a new release is published. Core issues will always get fixed. For holes in modules, the security team needs the support of the module developer. If the module author does not fix it within a month, a security announcement is send out and the module will be unpublished at drupal.org.
So, if you want to keep an eye on the security of your site, you should subscribe to the security mailinglist. You can enable it in your account settings.
Remember that the website is not the only place a malicious user could try to access your database. If your ISP (or you) doesn't have a secure setup of your database server, a hacker could try to access your database directly. (For example) So, drupal is not the only thing which should be secure.
The biggest security factor for a website
is whether the site is on a shared or dedicated server.
Being on a shared server has a lot more risks as all kinds of other potentially vulnerable sites are running on it and all kinds of other people can upload code to it.
A dedicated server is much more secure as you control exactly who gets to run code on it, and gives the sysadmin much more scope in hardening things.
Also, Drupal core has good security IMO and the core team do a great job - but things are a little different with contrib modules. You need to be a little more careful with those. Wherever possible think hard about what modules you really need and stick to contrib modules by known developers with good reputations that get a lot of other known developers contributing to them.
--
Anton
New to Drupal? | Forum posting tips | Troubleshooting FAQ
Https should be used
In my opinion Drupal is as secure as anything and more secure than most things, though there is always some risk. I would strongly recommend https:// if the data is HIPPA restricted (though I don't think it makes much of a difference technically in most cases). You'll need to demonstrate that you did your best and followed best practices for securing data in the event of a breach (Drupal or not). The cert is cheap enough, and https is so established that this should be a part of whatever solution you come up with. I also agree with dedicated server suggestion above.
____________________
http://uva-weblearn.net