Drupal Security White Paper

Attached is a report (licensed CC-BY-ND) about Drupal's security. This report can help an organization answer the question "Is the Drupal project secure enough for my organization?"

You can read the PDF Drupal Security Report.

Drupal Security Best Practices

A Practical Guide

Mike Gifford

OpenConcept Consulting Inc.
Publication date: 
Page count: 

The need for organizations to understand security has never been higher, unfortunately bad assumptions have lead to many sites being left very vulnerable to attack.

OpenConcept developed this best practices guide to provide a starting point to look at when thinking about the security of your website. Much of the information required to secure Drupal is common across most web servers, so even if you are not currently using the Drupal CMS, this document may be useful. There is of course a technical element, but many of the principals are things which need to be understood clearly by everyone.

Security needs to be regularly re-evaluated. This book does not include coding best practices, but there are many references included in this document for those looking to learn more.

This guide has lots of practical tips for experienced web developers and systems administrators, but also contains information for managers. We've tried to include useful examples of how to implement these best practices. There are lots of links to other resources for people who want to learn more.

In the latest release we've expanded information about Drupal 8, included information about crackers, and highlighted security regulations that you may need to comply with. We've expanded the Drupal section to explain in more detail how to evaluate Drupal modules and themes for security.

You don't need to be a security expert to get value from this document as everyone benefits from having a better understanding of web security.

Services Security Updates

This page is used as documentation for Services Security. It is unfortunate that issues come up that affect Services, but running the latest version of Services should help mitigate any issues.

If you see an issue and think it is security related, please follow the instructions here

Updating OpenAid

The update process with OpenAid is the same as process as updating modules on a standard Drupal site. Note that contributed modules for OpenAid live in profiles/openaid/modules/contrib rather than the common set up sites/all/modules/contrib.

OpenAid does have regular updates, oftentimes to keep up with security releases of Drupal core and contributed modules, however, OpenAid site maintainers are encouraged to update modules (especially those with security updates) as updates become available rather than waiting for a new release of OpenAid.

Password Form

Protected Node Password Form

Once a node is protected, a simple password form will be sent to the users who cannot bypass the password.

The password form includes a field for users to enter the node password, and an "OK" button.

When the user's browser sends a referral, the Protected Node module adds a "Cancel" link back to that referrer. The "Cancel" link can be made to always appear by selecting that option in module's global settings. If no referrer is available, the "Cancel" link returns users to the home page.


Subscribe with RSS Subscribe to RSS - security