There are two primary elements to maintaining a secure Drupal installation: ensuring that your application-specific configuration and code are appropriate and follow best practices, and keeping Drupal core and any modules or themes you’ve downloaded from Drupal.org up-to-date.
Incorrect use of core APIs and individual site misconfiguration are the cause of most vulnerabilities and weaknesses. Understanding possible attack vectors, keeping up to date with current best practices, and taking the time to evaluate and understand your unique Drupal installation will go a long ways towards helping you maintain a secure site.
- Understand how to assign roles and permissions in a secure way
- Configure text formats with security in mind
- Use core APIs to validate user input and perform other security best practices
The basic tenets of maintaining a secure site are pretty consistent. Keep track of updates, know how to use APIs properly, and how to write secure code. Most tutorials either provide a broad overview of the types of issues to be aware of, in which case they are likely to remain evergreen. Or they dive deep into a particular problem and related solution, in which case their helpfulness will depend on your use case. Regarding security in Drupal today, while there are many improvements related to security in this release, it's still quite possible to make your Drupal site insecure, so it remains important to understand security best practices and stay up-to-date with Drupal security updates.
Best practice for developers (api.drupal.org)
- Overview of standards and best practices for developers, including those related to security.
Is Drupal Secure? (Drupal.org)
- Provides useful context and additional information for evaluating Drupal’s security and being able to answer the question, “Is Drupal secure?”
Security in Drupal (Drupal.org)
- Guide with some tips for writing secure code and common configuration gotchas for site builders and developers.
Writing Secure Code (Drupal.org)
- A documentation guide on writing secure code in Drupal.
Sanitizing on output to avoid Cross Site Scripting (XSS) attacks (Drupal.org)
- A list of utility classes and functions provided by Drupal core to assist with writing secure code. Read through this list at least once to familiarize yourself with available options.
We suggest you follow @drupalsecurity on Twitter and/or use one or more other methods to get notified of security updates to Drupal core and contributed code. Learn more about the available options:
Staying aware of Drupal security updates (acquia.com)
- An overview of various methods for getting notified about security releases with pros and cons for each.
Additional resources related to security:
Learn How to Keep Drupal 8 Safe and Secure (youtube.com)
- This series of videos walks through security announcements, common configuration gotchas, and other Drupal-specific security concerns.
Cracking Drupal (youtube.com)
- This presentation provides a great overview of security issues in Drupal and PHP applications in general. Covers common mistakes developers make and how to avoid them, as well as modules that can help improve a site’s security.
How to write insecure Drupal 8 code (pnwdrupalsummit.org)
- Most Drupal security resources exist to help users write secure code - but how do we know what insecure code looks like? This presentation covers the most common types of Drupal security vulnerabilities with real-world examples of vulnerable code.