There are two primary elements to maintaining a secure Drupal installation: ensuring that your application-specific configuration and code are appropriate and follow best practices, and keeping Drupal core and any modules or themes you’ve downloaded from Drupal.org up-to-date.
Incorrect use of core APIs and individual site misconfiguration are the cause of most vulnerabilities and weaknesses. Understanding possible attack vectors, keeping up to date with current best practices, and taking the time to evaluate and understand your unique Drupal installation will go a long ways towards helping you maintain a secure site.
Example tasks
- Understand how to assign roles and permissions in a secure way
- Configure text formats with security in mind
- Use core APIs to validate user input and perform other security best practices
Confidence
The basic tenets of maintaining a secure site are pretty consistent. Keep track of updates, know how to use APIs properly, and how to write secure code. Most tutorials either provide a broad overview of the types of issues to be aware of, in which case they are likely to remain evergreen. Or they dive deep into a particular problem and related solution, in which case their helpfulness will depend on your use case. Regarding security in Drupal today, while there are many improvements related to security in this release, it's still quite possible to make your Drupal site insecure, so it remains important to understand security best practices and stay up-to-date with Drupal security updates.
Drupalize.Me resources
Overview of security updates, how bugs are handled, and non-security updates.
How to secure a site by staying informed about the latest security updates.
The process for keeping Drupal core and contributed modules and themes up to date with the latest security and minor version releases.
In Drupal’s core library there are a number of utility functions and classes that, as a module developer, you will find make your task easier or less tedious.
Drupal's development has a regular release cycle consisting of major, minor, and patch releases. Drupal releases use semantic versioning for its version numbers. Since we're committed to making sure our tutorials are kept up-to-date with the latest and greatest version of Drupal we figured it would be a good idea if you knew how to keep your Drupal site up-to-date with the latest "point" releases as well.
This tutorial will cover:
- How to determine the type of update
- The standard update procedure
- Update Drupal using Drush
- Update Drupal using Composer
This tutorial won't cover:
- How to perform a major version Drupal upgrade, for example, from Drupal 6 or 7 to the latest version of Drupal. For that, see our guide, Learn to Migrate to Drupal.
Text formats are an important security feature of Drupal, so it pays to understand them. A text format will “scan” your content and make HTML formatting changes to it before sending it to the browser for display. In this lesson we'll see what formats and filters are, and how they relate to each other, walk through the filter workflow, as well as reviewing the default formats that come with Drupal core.
Additional resources
Drupal Coding Standards
TopicCoding standards provide a set of rules for how your code should be formatted, and best practice guidelines for naming conventions and the location of files.
External resources
-
Best practice for developers (api.drupal.org)
- Overview of standards and best practices for developers, including those related to security.
-
Is Drupal Secure? (Drupal.org)
- Provides useful context and additional information for evaluating Drupal’s security and being able to answer the question, “Is Drupal secure?”
-
Security in Drupal (Drupal.org)
- Guide with some tips for writing secure code and common configuration gotchas for site builders and developers.
-
Writing Secure Code (Drupal.org)
- A documentation guide on writing secure code in Drupal.
-
Sanitizing on output to avoid Cross Site Scripting (XSS) attacks (Drupal.org)
- A list of utility classes and functions provided by Drupal core to assist with writing secure code. Read through this list at least once to familiarize yourself with available options.
We suggest you follow @drupalsecurity on Twitter and/or use one or more other methods to get notified of security updates to Drupal core and contributed code. Learn more about the available options:
-
Staying aware of Drupal security updates (acquia.com)
- An overview of various methods for getting notified about security releases with pros and cons for each.
Additional resources related to security:
-
Learn How to Keep Drupal 8 Safe and Secure (youtube.com)
- This series of videos walks through security announcements, common configuration gotchas, and other Drupal-specific security concerns.
-
Cracking Drupal (youtube.com)
- This presentation provides a great overview of security issues in Drupal and PHP applications in general. Covers common mistakes developers make and how to avoid them, as well as modules that can help improve a site’s security.
-
How to write insecure Drupal 8 code (pnwdrupalsummit.org)
- Most Drupal security resources exist to help users write secure code - but how do we know what insecure code looks like? This presentation covers the most common types of Drupal security vulnerabilities with real-world examples of vulnerable code.