The Most Basic Thing About Securing Drupal (or any CMS)

I got that message today, Drupal admins know the one:

Critical security update required! Please check available updates to ensure the security of your server.

(or something like that...)

It's all in red and stuff, looks really intimidating, like, "Oh my God, what if the hackers have discovered this vulnerability before the Drupal development community did!"

First of all, that is highly unlikely so unless you just let your Drupal sites sit there for months on end without checking for updates, you're probably OK. Even if you have been lax, you can do a lot to secure a Drupal installation so that these messages really don't mean much. Of course you should keep your system up to date, but there are things you can do to make it so that even if you fall behind, you're probably gonna be safe from attack.

Anyway, you definitely want to turn on auto-notifications and update checking. This is especially true if you're running a site with a lot of bells and whistles. If you are running such a site, make sure you get auto-updates, and set them to be sent to your e-mail address so that you find out within minutes when things need fixing.

Third-party modules can open up lots of cans of worms. So can third-party themes which is why you should, generally, stick with the basic ones or develop your own. That's the first rule of thumb: Keep it as simple as possible.

*(Developing your own modules can be dangerous, by the way. The ones offered by communities of developers are going to have more sets of eyes on them and will therefore be more secure.)

It turns out that this latest security update didn't really affect my sites. The vulnerabilities were only relevant to sites that might have users with some form of escalated privileges that I don't allow to anyone, including clients, or using modules that my sites do not.

Can you guess the Golden Rule?

Don't let anyone interact with your site if you're not monitoring on the regular. If people are interacting with your site, severely limit what they can do.

It's been that way with computer security since UNIX was first invented in 1971 or whatever. Regular users are not allowed to do jack sh!t. Only trusted admins can do that. The first line of defense is a very strong administrative password that changes with some regularity. If your system is compromised, this narrows down the list of suspects and vectors of attack.

Anyway, back to Drupal (and any other CMS, for that matter)...

The comment form in Drupal is pretty rock-solid in filtering stuff out, but if you're letting people post pictures, locations, or -- God forbid -- upload files, you're taking risks, no matter how up-to-date you may be. Do not allow the "Full HTML" posting privileges to anyone who does not have admin-level privileges. You're asking for trouble if you do that. Again, Drupal is pretty solid here, but an ounce of paranoia is worth a ton of headaches in unwinding problems with crackers.

If you keep to the Golden Rule, even if you are lax in keeping Drupal (or your CMS of choice) up to date, you can rest easy. I know it might seem obvious, but it is a good idea to audit your sites and make sure you're not letting anyone do anything that they don't need to do.