Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Status
titleReviewed 230531

1. Keep Drupal core and modules up to date

...

Do not use the conventional admin username for the site administrator. Be smart with the usernames and choose a complex password. Kalamuna has special email address that needs to be used as user 1 email.

When possible, inactivate the user 1, as this is the user with the greatest privileges and very often bypasses all Drupal security layers. Use regular users with administrator role instead, especially on already launched websites.

5. Use Drupal security modules

  • Login Security: improves the security options in the login operation of a Drupal site. By default, Drupal introduces only basic access control denying IP access to the full content of the site.

  • Flood Control: protect the login form against brute force attacks, limiting the number of failed login attempts allowed within a time period.

  • Password Policy: provides a way to enforce restrictions on user passwords by defining password policies.

  • Captcha: a challenge-response test most often placed within web forms to determine whether the user is human.

  • Automated Logout: provides the ability to log users out after a specified time of inactivity.

  • Session Limit: this allows to limit the number of simultaneous sessions per user.

  • Security Kit: provides Drupal with various security-hardening options. This lets you mitigate the risks of exploitation of different web application vulnerabilities.

  • Security Review: automates testing for many of the easy-to-make mistakes that render your site insecure.

...

7. Check file permissions

In this article, there are the This article includes a fix-permissions.sh script that you can run that configure all files and folder permissions accordingly according to the Drupal best practices. https://www.drupal.org/node/244924

8. Remove all unused modules

There is no reason to have unused code on your website.

9. Block access to

...

sensitive files

Restrict the access to some important files like authorize.php, cron.php, install.php, update.php using the .htaccess for sites served via Apache.

Code Block
<FilesMatch "(authorize|cron|install|upgrade)\.php">
    Order deny, allow
    deny from all
    Allow from 127.0.0.1
</FilesMatch>

...

It’s always easier to add a new permission to a user role than removing some remove them after they users are used to what they had before.having access.

11. Protect Pantheon multidev environments

Setup a password for Pantheon multidev environments with password protection at all times as well as dev and test environments.

...

Review History

Who

When

Status

Bob

20230531

Current