Last updated November 12, 2013. Created on April 9, 2008.
Edited by Gábor Hojtsy, silverwing, sanjiban, matt2000. Log in to edit this page.

This section provides security configuration advice for site administrators and includes both "things you should actively do" and "things you shouldn't do". The order of chapters is an attempt at identifying the priority of the configuration based upon the likelihood that it will be helpful and the potential benefit/harm of the configuration.

Site administrators should also sign up for the security mailing list. People interested in discussing security should join Best Practices in Security Group.

There are a number of contributed modules which can help with security, not all of which are documented in this handbook. Among those modules is the Security Review module which provides an analysis of your security configuration.

You can also read documentation for writing secure code and about the security implications of translations from

Looking for support? Visit the forums, or join #drupal-support in IRC.


seraphin’s picture

During DrupalCon 2012 in Denver four speakers presented "Building And Securing Government Drupal Sites In The Cloud". I found this to be a nice wrap-up of security best practices. Hope it is of use:

kamloopspaul’s picture

Unfortunately the video presentation featured at this link is no longer available, it was removed from Blip last November.

opratr’s picture

The DrupalCon Denver 2012 Presentation on BUILDING AND SECURING GOVERNMENT DRUPAL SITES IN THE CLOUD has been moved to the Drupal Association YouTube channel: