Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By VidarAus on
Hi All,
I have only been playing with Drupal for a few months, but I am really confused regarding securing a Drupal site.
I have spent hours doing searches and reading forums and still have not come across a no-nonsense guide to securing a Drupal site post-installation.
In my opinion, there needs to be a guide which covers not only Drupal itself, but also common approaches to securing the web host it resides on.
For example, some topics I am interested in are:
* What the correct CHMOD settings for every file and folder in a standard Drupal install should be
* How to set-up .htaccess correctly to secure a standard install
* Security issues relating to shared hosting and what steps to take
* How to prevent browser access to critical files such as settings.php and cron.php e.t.c
* Cpanel based settings that should be applied to increase security of a standard Drupal install
I understand that a lot of this comes from loads of experience in managing websites and undergoing security training, but there are a lot of Drupal installs out there being put up by complete n00bs (like mysefl), and these people need a lot of hand holding to harden their site.
I would write such a guide myself, but I don't know the theory or practice.
From reading around, especially regarding sites which have been hacked, this appears to be a critical piece of documentation which is currently missing from the Drupal community - a step-by-step guide which is easy to follow on how to take a holisitc approach to Drupal security (including the security of the web host, or at least things to look out for which cause large security holes). This guide should also provide multiple ways to achieve the same outcome, for example if you don't have SSH access to your webhost and only Cpanel e.t.c
If this guide already exists, I apologise, and hope someone will post the link.
Hopefully something useful turns up.
Thanks very much
Comments
_
That is WAY out of scope for this website-- people have made entire careers of documenting this and barely scratched the surface. Though I think a list of links to good references would be both in scope and helpful.
I get your point about noobs and drupal but we have a difficult enough time trying to keep drupal documentation current-- going down the pure security road would be a bottom less pit. Which OS? Which Webservers? Which hosting environments? The list is endless.
There's many other places to get security information, but there's one drupal.org.
There is the beginnings of a guide at http://drupal.org/security/secure-configuration. But it could definitely use some TLC.
===
"Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime." - Lao Tzu
"God helps those who help themselves." - Ben Franklin
"Search is your best friend." - Worldfallz
Thanks for the quick
Thanks for the quick reply!
Sorry if I was out of line - as I say, I am new to Drupal and the community. I can see now some of the issues, and also the scope of Drupal.org. I am very new to all this.
Thanks for the link to the security page.
Just out of curiosity, do you know how to perform the same CHMOD changes the guide talks about without having SSH access, as I do not have SSH with my host.
Thanks
_
No worries, welcome aboard ;-)
Most hosts have a control panel file manager of some sort that allows you make the permissions changes you need. Poke around yours-- it should be there somewhere.
===
"Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime." - Lao Tzu
"God helps those who help themselves." - Ben Franklin
"Search is your best friend." - Worldfallz
Shared host CHMOD., ?
Hmm., almost sounds like YOU might just have the incentive and the capability to work on that Drupal Security Guide yourself and you certainly get MY vote in any event.
I had been wondering about that very same topic of security recently as I have several Drupal sites that may be going live some time within the next few months or so.
If you are on a shared commercial host, the cp will typically allow you to access file permissions and alter them on a file to file basis. Log in and have a look around using the file manager.
Drupal security
I agree this is a need. It is not out of scope to be discussing this in drupal.org.