What Basic Steps You can take to make you drupal site to make it much more secure.
Actually Drupal is configured to be secure out of the box, because it restrained it's permission, but as we extend website according to our need we get playing around with the permission section. and there we start making our drupal site much more volnerable to attacks of outer world.
Basic things that we can do to make our site much more strong enough to kick off the attacks.
Use Strong Passwords
we must use the strong password, the person logged in with user 1 or from the much powerful permission account can do much more damage to the site.
To make you password strong, you should add uppercase letters, number and punctuation combination
Good referce for password visit
User 1 Should Only Be Used For Administration Purposes Only
Because user 1 has been given permission to do everything on the site, while installation. Its better Idea to Usser account as super user account and you create another with appropriate permissions
Be Careful When Assigning Permissions
Permissions starting with Administer must only be granted to highly trusted users. Some permissions have security implications and should only be granted with extra care. Permission like "Bypass content access control" can give the user ability to Add, Edit, Delete any content on site and this could really dangerous
By default Administrator need to approve the account created by the user but some time we bypass this scenario and let the user create his account with any involving the administrator to approve the accout. Id we do this we should review what permissions the Authenticated User role has and ensure they are all safe.
Keep Text Formats Tight and Secure
Each text format contains a set of filters that will escape content and make it safe for display. By default, the text formats such as Filtered HTML and Plain Text are safe as they have very limited and no tags allowed to insert in text
Though Drupal sanitize the output before rendering to the page. But we should not never trust the user inout
Avoid Using the PHP Filter Module
First of all it make hard and most impossible to version the code saved in database, secondly hard to make the code review, thirdly it would be hard to track the error, and lastly In terms of performance, storing PHP code in the database will prevent any opcode caching mechanism from working on this piece of code
Thanks
0 Comment(s)