This section provides security configuration advice for site administrators and includes both "things you should actively do" and "things you shouldn't do". The order of chapters is an attempt at identifying the priority of the configuration based upon the likelihood that it will be helpful, and the potential benefit/harm of the configuration.

There is also a page elsewhere on reporting a security issue.

Site administrators should also sign up for the security mailing list. People interested in discussing security should join Best Practices in Security Group.

There are a number of contributed modules which can help with security, not all of which are documented in this handbook. One such is the Security Review module which provides an analysis of your security configuration.

You can also read documentation for writing secure code and about the security implications of translations from localize.drupal.org.

The key to security is eternal vigilance. Updating code, both within Drupal and across your hosting infrastructure, is a necessary process to ensure you stay secure. Setting up a secure Drupal web application server and walking away is not sufficient. Be aware of the update process for your systems (The Drupal Security Team releases Security Updates each Wednesday), and ensure someone is keeping on top of this, with sufficient time allocated to perform updates to Drupal, your web server software, database software, and all other packages installed on your systems.

Security updates can be followed through the Drupal Security page.

RSS feeds are also available for core, contrib, and public service announcements.
You can also follow @drupalsecurity on Twitter.

In addition all security announcements are posted to an email list. To subscribe to email: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.