![]() ![]() If you are using containers, make sure only the web server container is publicly available. You can set WAF rules at CDN/WAF level to save your webserver from having to respond 40x to these requests.Ĭlose all other ports except these two using iptables, firewall (ufw) or security groups if you are using AWS. The install.php file gives the exact Drupal version and this must be hidden at all costs. You can double check all of this by writing a script and saving responses from each of these files. No folder or file should be writable by any user other than files, settings.php files, install.php files. It is ideal that all the codebase and files folder is owned by the web user (should ideally have a 644 permissions. Set the right file permissions and ownership for all your files. Make sure your redirect all your http requests to https at the web server level or CDN/WAF level or both. It provides you a free certificate that can be easily installed by a simple python script. If you do not want to purchase and install a certificate, this can be easily done using let's encrypt. Most of the security and performance of my website is done using Cloudflare free plan. I also hide the public IP address of my server by proxying all requests through Cloudflare. I stop many DDOS attackers and random attackers trying to look for an opening by putting in WAF rules that block requests with certain keywords. I use CLoudflare and their free plan is a godsend. Protect your site using a free CDN/WAF service.Use authenticator apps, SMS or Email OTPs as a first step for logins making it more secure. See How to correctly set Content-Security-Policy headers. Make sure in your CSP, you only allow the external sources you use. Some of the recommended common HTTP security headers for your Drupal website are: Use seckit module correctly by setting the right security headers.Better yet, use a module like secure_domain_login to move the login page to a separate domain. Use modules like login_security to block people from brute-forcing your login. Use the password_policy module to force new users to generate a strong password. Using login security module to block IP addresses and lock accounts with multiple wrong password attemps. Use login_security, seckit, password_policy.Use an uncommon name or random characters instead of meaningful names for the UID 1 user account. Don't user usernames like admin, administrator for admin account 1.Make sure no one can gain access by simply blocking it. This user in Drupal is a super admin and has access to ALL configs and settings. There are many ways to accomplish this if you've hosted using AWS, GCP or managed platforms like Acquia, Platform.sh or Pantheon. If anything goes wrong, I can run the rollback script to the db and code tag that's specified in the file. ![]() For example, I often create a db and code snapshot using a bash script which saves the details into a file. Try to set an easy "rollback to a snapshot". Make sure you take action and get a hotfix rolling to get this done.įrequently backup your db and code. If you have configured your mail settings properly, you will be notified almost immediately about this. So I decided to write a checklist that if followed exactly will take care of at least the recommended best practices.ĭrupal core, and contrib modules that are checked in for security coverage (green tick), frequently receive security updates. ![]() Some of the sites were on Drupal versions that were vulnerable. For example, I could tell the exact Drupal, PHP and Nginx versions in many cases. I was recently looking certain random things for all Drupal sites that I know to see what information I can get from these sites and I was surprised to see that many of them do not have the basic Drupal security recommendations done. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |