Drupal security

Several months ago I put together a presentation for Linuxfest in Bellingham regarding several hacking events that I had experienced and the changes that I needed to make in my processes and Drupal sites to ensure that they were secure. I had a schdule conflict and wasn't able to give the presentation  so I have put together a short list here that I found useful.

  1. Use strong passwords. Ten characters long, random, mixture of puncutation, caps and numbers. Another possibility is two factor authentication. Drupal security group has a great post here.
  2. Do updates. Drush makes updates easy. Only rarely will an update break a site unless you have done something to hack core.
  3. Use something other than "admin" for user 1. I can't believe how many times I see this simple step violated. Save user 1 for updates and create a limited administrator role for every day use in editing the site.
  4. Guard against brute force attacks. If you see regular login attempts coming from the same IP. Block it. Use modules to limit unsuccessful login attempts. Login Security is one such module.
  5. Monitor for malware. I like Sucuri Site check. But Google has great tools as well.
  6. Clean up your installation. Don't leave unused modules and themes around. Especially devel module. But others as well can become vectors for hacking over time.
  7. Control sensitive information. Use secureFTP and SSH. Remove old copies of databases.
  8. Stay vigilant. Pay attention to Drupal security. I subscribe to the Security team RSS feed

Due to the HIGH popularity of this thread to sophisticated spammers - it is closed. Use the contact form and I will post it.