By sambtaylor on

Someone at a hosting company told me that they don't even carry drupal as a auto-installed script because it is so "hole-y" and has so many security problems. I have otherwise been very impressed with Drupal and I have not seen a lot here on this site about its security problems, so I am wondering how secure drupal is. How bout some thread that offers a discussion of security--what to watch out for, how big of problems they are, the likely prospects of greater security in the future, comparison to security in other CMS, etc.?

Categories: Drupal 5.x

Comments

modul’s picture

modul commented

I'm not a security expert, but I do follow what's happening on the forum, both here and with regard to Joomla. Just judging from the number of security warnings, I'd say that Drupal is a Quite secure environment. Sure there are warnings, though not many, and when they occur, they mostly have to do with some contributed module here or there, not (or not often) with Drupal as such. Compared to Joomla, Drupal appears much more secure - though no guarantees from my side :-). I think security boils down to following what's happening, apply new patches or updates. And that's not only the case for opensource CMS's but for other programs as well. Just look at the Multitude of Windows security warnings, for instance... I think that hosting company person must have been slightly prejudiced.

Ludo

cog.rusty’s picture

cog.rusty commented

It is hard to answer to a general statement coming out of thin air. AFAIK there are regular security announcements and updates as well as mechanisms to keep out dangerous things.

But to say anything more we would have to hear the exact argument. Someone once said that Drupal is unsafe because it announces security issues immediately. Go figure... This may be bad for people who installed Drupal two years ago and never looked back, but I don't think there will ever be security for them.

josesanmartin’s picture

josesanmartin commented

First of all, check these: http://drupal.org/security

Drupal's code is very good and well-revised. Many many websites use Drupal for a long time and they are still there. Drupal has a security team and well-structured bug-fixing procedures.

In other words, Drupal is secure enough.

The most common problems with CMSs seems to be Cross-Site Scripting (XSS, see Wikipedia for more details) and other issues related with password thieving. CMSs such as Drupal won't be much threat to the webserver, because they're run over PHP and there isn't much they can do. The worst someone can do is mess with your website content.

However, there are a few things that you can check to be a little safer:
- Check your files permissions, especially the permissions to settings.php.
- Don't give much permissions to your (web) users, if your site accepts user-generated content (such as comments). Check the input formats and always filter their HTML.
- Keep your installation upgraded. Always.
- and remember that even being secure enough, software always have its flaws, so always keep a backup, etc.

José San Martin
http://www.verinco.com/

José San Martin
http://www.chuva-inc.com/

sambtaylor’s picture

sambtaylor commented

Thanks for these responses, which are reassuring.

First, I see no reason not to say the hosting company, because I am frustrated with them anyway. IX hosting, which has had a pretty good reputation, but they've been getting a lot of negative reviews lately, and I would have to join in. I am leaving them, frustrated with their cancellation policy, and one of several reasons I am leaving them is because their new hosting panel will not offer Drupal among their auto installed scripts.

Second, a follow-up question: do you see any major security problems with using Drupal for social network sites in particular? Anything that would make another platform seem smarter? I am at the outset of setting up several sites, and want to make sure I make the right choice at the beginning? (p.s. They are free sites.)

vm’s picture

vm commented

your host not offering an auto install script is more of a positive to the drupal community then a negative. IMHO. Drupal has come a long way with regards to easing the burden of installation, with its new installer. Lastly removing a hosts script from the equation with regards to support issues is a benefit in and of itself.
teamsugar.com, a social networking site, uses drupal. There is no difference between social networking sites and any other site as far as the code base is concerned.

The biggest wall you will hit with a social networking site, using Drupal, is if your site gets popular, you will have to move to a dedicated server sooner rather then later as Drupal relys on the database for much of what it does, and what it stores.
___________________________________________________________________________________________________
The search tool on Drupal.org really does work. This message has been brought to you by the letter X. Thanks for watching! : )

Amarjit’s picture

Amarjit commented

I agree with you.

It's very easy to install Drupal on any hosting package. The auto-install script only does a small job of copying files and setting up some scripts and directories.

The readme in the Drupal install tells you exactly what you need to do.

  • Copy the Drupal core (compressed - extract if needed OR uncompressed) to your webroot folder.
  • Copy the default settings file and rename to settings.php. Give full permissions (chmod 777) to this file.
  • Create a 'files' folder and again give that full permissions.
  • Run the install by simply visiting www.your-domain.com/drupal-directory-name.
  • From here, you just put some configuration details in. The most technical part is the database details, which will BE available from your hosting.
  • Then find out how to setup a cron job for 'cron.php'. Or simply install the poormanscron module.

It's also better that you, yourself download the latest version of Drupal. These auto-scripts usually come pre-packaged with other CMS's - so they don't get updated often enough.

This book is a good read: Cracking Drupal

rtivel’s picture

rtivel commented

Hi,

I have used IX Web Hosting for some time now and can recommend them for both their service and their support. I have several domains running reliably there.

I have recently installed Drupal there and, with the exception of getting cron functioning properly, the installation has been painless using the core files from Drupal.

In my many contacts with IX's help desk, I have never heard one derogatory statement about Drupal; and although not every one on the help desk has all the answers (I had to submit a support ticket to find out that I would need to use curl for cron), everyone there has always done their best to help.

With respect to security, I particularly like the administrators control of the login process and the ability to restrict users to predefined "roles." Other modules available at Drupal can further help define just what a user can do and view on a Drupal site.

tingtong’s picture

tingtong commented

I am also using ixwebhosting, just migrated to PHP5 server block after over one year hosting. So far ok but sometimes mysql down. It happen three times in a month.

Server not so reliable (for my past 1 year experience) but live chat service is good and damn cheap price.

I use manual cron and is ok. What do you mean "getting cron functioning properly"?

sahe44’s picture

sahe44 commented

Hi
They add articles here periodically about ixwebhosting themes and its relationship with different softwares including drupal , joomla, e107 , wordpress and… .
Take a look, maybe they can help and follow the comings articles, maybe you found your answer.