Last updated 30 March 2016. Created on 9 April 2008.
Edited by Shirlockc, aaronott, nerdcore, Gábor Hojtsy. Log in to edit this page.

This section provides security configuration advice for site administrators and includes both "things you should actively do" and "things you shouldn't do". The order of chapters is an attempt at identifying the priority of the configuration based upon the likelihood that it will be helpful, and the potential benefit/harm of the configuration.

Site administrators should also sign up for the security mailing list. People interested in discussing security should join Best Practices in Security Group.

There are a number of contributed modules which can help with security, not all of which are documented in this handbook. One such is the Security Review module which provides an analysis of your security configuration.

You can also read documentation for writing secure code and about the security implications of translations from

The key to security is eternal vigilance. Updating code, both within Drupal and across your hosting infrastructure, is a necessary process to ensure you stay secure. Setting up a secure Drupal web application server and walking away is not sufficient. Be aware of the update process for your systems (The Drupal Security Team releases Security Updates each Wednesday), and ensure someone is keeping on top of this, with sufficient time allocated to perform updates to Drupal, your web server software, database software, and all other packages installed on your systems.

Security updates can be followed through the Drupal Security page.

RSS feeds are also available for core, contrib, and public service announcements.
You can also follow @drupalsecurity on Twitter.

In addition all security announcements are posted to an email list. To subscribe to email: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

Looking for support? Visit the forums, or join #drupal-support in IRC.


seraphin’s picture

During DrupalCon 2012 in Denver four speakers presented "Building And Securing Government Drupal Sites In The Cloud". I found this to be a nice wrap-up of security best practices. Hope it is of use:

kamloopspaul’s picture

Unfortunately the video presentation featured at this link is no longer available, it was removed from Blip last November.

opratr’s picture

The DrupalCon Denver 2012 Presentation on BUILDING AND SECURING GOVERNMENT DRUPAL SITES IN THE CLOUD has been moved to the Drupal Association YouTube channel:

nerdcore’s picture

OpenConcept Consulting Inc. has developed a guide titled Drupal Security Best Practices - A Guide for Governments and Nonprofits.

While it was originally directed at Canadian Government departments, it is our hope that this document will alleviate the time necessary to secure Drupal sites for everyone in all sectors.