Topic
Last updated August 24, 2017

There are two primary elements to maintaining a secure Drupal installation: ensuring that your application-specific configuration and code are appropriate and follow best practices, and keeping Drupal core and any modules or themes you've downloaded from Drupal.org up to date.

Incorrect use of core APIs and individual site misconfiguration are the cause of most vulnerabilities and weaknesses. Understanding possible attack vectors, keeping up to date with current best practices, and taking the time to evaluate and understand your unique Drupal installation will go a long ways towards helping you maintain a secure site.

Example tasks

  • Understand how to assign roles and permissions in a secure way
  • Configure text formats with security in mind
  • Use core APIs to validate user input and perform other security best practices

Confidence

The basic tenets of maintaining a secure site are pretty consistent. Keep track of updates, know how to use APIs properly, and how to write secure code. Most tutorials either provide a broad overview of the types of issues to be aware of, in which case they are likely to remain evergreen. Or they dive deep into a particular problem and related solution, in which case their helpfulness will depend on your use case.

Drupalize.Me resources

More Guides

We have guides on many Drupal skills and topics.

Explore guides

External resources

We suggest you follow @drupalsecurity on Twitter and/or use one or more other methods to get notified of security updates to Drupal core and contributed code. Learn more about the available options:

Additional resources related to security:

  • Drupal 8 User Guide: Concept: Security and Regular Updates (drupal.org)

    • Learn about the security team, how security-related bugs are reported and handled, and links to other security pages in the Drupal 8 User Guide.
  • Is Drupal Secure? (drupal.org)

    • Provides useful context and additional information for evaluating Drupal's security and being able to answer the question, "Is Drupal secure?"
  • Security in Drupal 8 (drupal.org)

    • Guide with some tips for writing secure code and common configuration gotchas.
  • Learn How to Keep Drupal 8 Safe and Secure (youtube.com)

    • This series of videos walks through security announcements, common configuration gotchas, and other Drupal-specific security concerns.
  • Sanitization functions (api.drupal.org)

    • A list of utility classes and functions provided by Drupal core to assist with writing secure code. Read through this list at least once to familiarize yourself with available options.
  • Cracking Drupal (youtube.com)

    • This presentation provides a great overview of security issues in Drupal and PHP applications in general. Covers common mistakes developers make and how to avoid them, as well as modules that can help improve a site's security.