Last updated November 12, 2013. Created by qiqiy on April 9, 2008.
Edited by Gábor Hojtsy, silverwing, sanjiban, matt2000. Log in to edit this page.

This section provides security configuration advice for site administrators and includes both "things you should actively do" and "things you shouldn't do". The order of chapters is an attempt at identifying the priority of the configuration based upon the likelihood that it will be helpful and the potential benefit/harm of the configuration.

Site administrators should also sign up for the security mailing list. People interested in discussing security should join Best Practices in Security Group.

There are a number of contributed modules which can help with security, not all of which are documented in this handbook. Among those modules is the Security Review module which provides an analysis of your security configuration.

You can also read documentation for writing secure code and about the security implications of translations from localize.drupal.org.

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.

Comments

During DrupalCon 2012 in Denver four speakers presented "Building And Securing Government Drupal Sites In The Cloud". I found this to be a nice wrap-up of security best practices. Hope it is of use: http://denver2012.drupal.org/program/sessions/building-and-securing-government-drupal-sites-cloud