There are two primary elements to maintaining a secure Drupal installation: ensuring that your application-specific configuration and code are appropriate and follow best practices, and keeping Drupal core and any modules or themes you've downloaded from Drupal.org up to date.
Incorrect use of core APIs and individual site misconfiguration are the cause of most vulnerabilities and weaknesses. Understanding possible attack vectors, keeping up to date with current best practices, and taking the time to evaluate and understand your unique Drupal installation will go a long ways towards helping you maintain a secure site.
- Understand how to assign roles and permissions in a secure way
- Configure text formats with security in mind
- Use core APIs to validate user input and perform other security best practices
The basic tenets of maintaining a secure site are pretty consistent. Keep track of updates, know how to use APIs properly, and how to write secure code. Most tutorials either provide a broad overview of the types of issues to be aware of, in which case they are likely to remain evergreen. Or they dive deep into a particular problem and related solution, in which case their helpfulness will depend on your use case.
- Minor Version and Security Updates topic
- Keeping the code you downloaded from Drupal.org up to date when new releases come out is an important part of maintaining a secure site.
- Utility Functions and Classes topic
- Drupal core provides a number of utility classes and functions to aid in writing secure code that every developer should be familiar with.
- Update Drupal's Minor Version
- Learn how to apply Drupal core updates using a variety of different methods.
- Spotlight: Text Formats and Filters
- Understanding how text formats and filters work can help prevent configuration that leads to potential attack vectors.
- Coding Standards in Drupal
- Following existing best practices and coding standards will help to ensure your code is secure.