hardening drupal for a live deployment

Asked 20/8, 2009 at 14:10 Answered 29/1, 2013 at 23:22

security deployment drupal live production

Are there any special security measures to take when deploying a Drupal site to a production server?

For instance: I can imaging that we need to remove install.php from the root directory. Are there any more actions?

Or is there maybe a module available which checks the site for "world readiness"

Meneau answered 20/8, 2009 at 14:10 Comment(0)

The status report on http://your-site/admin/reports/status will tell you if anything is not quite right.

Under the performance admin page you can turn on various caching settings, but test your site with them turned on before deploying.

There is a book by greggles for securing drupal, which may be worth a look.

Elishaelision answered 20/8, 2009 at 15:42 Comment(1)

Yes, this. Make sure the admin password is some gobblygook, not something people will remember, and suggest the client not use it unless absolutely necessary. Also make sure that your database settings are such that it only accepts localhost connections, and have a similarly random password for that connection as well. – Weekender 25/8, 2009 at 1:50

Ideally you've tested your code for insecurities before deploying, but configuration can often be missed. There's a mode for analyzing your Drupal site for misconfiguration that would lead to vulnerabilities http://drupal.org/project/security_review

Security Review makes the following checks:

Safe permissions on system files
PHP in comments or nodes
Whether error reporting is on
Unsafe input formats
If private files is on and if the files directory is outside webroot
Allowed upload extensions
Admin permissions granted to untrusted users

Kirschner answered 22/4, 2011 at 4:22 Comment(0)

In addition to other suggestions, remove update.php also.

I'd also (re)move /scripts from the webroot

It's a minor thing, but you could remove the text files in the root of the distribution which leak the version number. Such as CHANGELOG.txt etc.

I don't remember how safely cron.php protects itself from flood-calling. You may want to look into whether it is worth limiting that to local-only or command-line-only access.

Ensure that .inc files are processed by PHP.

Drome answered 20/8, 2009 at 15:39 Comment(3)

We've never found it necessary to remove update.php - it's restricted from being used by anyone but the admin user 0, and if a hacker has access to that, well, you're in trouble. You don't need to move or remove any of the files when installing drupal, and the problem with doing this is that when you upgrade Drupal to the next security release, you may end up with files in two places, with the confusion and errors that would cause. – Weekender 25/8, 2009 at 1:48

The question was about security, not ease of install. A layered approach to security is always a good idea. How far you take that is up to you. You are certainly right in saying that you need to re-examine the fileset on each upgrade. But there are few good reasons to leave executable files that you don't need hanging around in the webroot. It's all about limiting the attack surface, should an unknown vulnerability be introduced in any (perhaps a different) application. – Drome 25/8, 2009 at 9:11

+1 for attending to minor things like version leakage and the notion of layered security. – Damiendamietta 25/8, 2009 at 20:28

all this answers make you stop thinking after your install is done - but software has a history and after installing drupal you have one more baby to watch - in drupal´s case watch VERY closely! This means you MUST subscribe to the drupal security mailing list and read all mails that are coming form there - be prepared to get many emails. It is good, that the drupal team is providing these informations fast, but it is sad that there are really too many of these mails, what might be related to drupals programming style. be prepared to get up more than once in the middle of the night to update your drupal installation because some extension developer never did understand, why input from the web must be sanitized (yes, these kind of security problems are still happening in the drupal world.) So "hardening" means "keeping up with updates", in drupals case these come quite often. Think about this if you have many sites and want to deploy to multiple servers - automatic deploymemts will help you save a lot of time.

Truce answered 28/6, 2010 at 23:53 Comment(0)

Here's an excellent rundown for Drupal 7: http://www.madirish.net/242.

Most of its suggestions are relevant to Drupal 6 as well.

Depreciatory answered 29/1, 2013 at 23:22 Comment(0)

You should also remove the Theme registry rebuilding setting.

It rebuilds your theme registry on every pageload, so it makes your site very slow.

Phenetole answered 20/8, 2009 at 14:11 Comment(1)

That setting is off by default. – Dreary 20/8, 2009 at 14:56

Recommended topics

Hot tags