9 Tips and Tricks to Securing Your Drupal Site on Pantheon

Making sure your website is secure is an important part of not only the development of the site but also its ongoing maintenance. While your site may not be at risk of exposing tens of millions of customer credit cards or losing hundreds of millions of Bitcoin, having any of your sites hacked can still be a real problem for you and your organization. Even a single vulnerability can result in your site’s content being defaced, your data being stolen, the privacy of your users compromised, and untold amounts of embarrassment and expense spent dealing with the situation.

Here at Pantheon we take security very seriously and have published a detailed overview of our security practices. Aside from general industry best practices (IDS / IPS, Backups, DR, Antivirus) we have also architectured a container based infrastructure for Pantheon whichisolates resources on a per site basis and makes infrastructure wide security upgrades easy. For all things related to the security of your web development and infrastructure, Pantheon has your back.

It is in this spirit that I want to share a few tips and tricks for securing your Drupal site. Over the past few months I have been attending Drupal camps in such wonderful places asOrlando, New Orleans, New Jersey, Pheonix, and New York doing trainings and chatting security. Here are 9 tips I have for making your Drupal site secure:

1. Keep Drupal Updated 

Drupal Core ships with a great tool called Update Managerwhich will detect when there are security updates available for your site and email you when your site needs an update. Definitely turn on this functionality and update your code when updates become available. Updating can be done a lot of ways including using the Drupal UI, through Drush’s pm-updatecode, or right from the Pantheon dashboard. As a bonus tip, most Drupal security releases happen on Wednesday so make yourself a weekly security date.

2. Use HTTPS for Everything 

As it turns out, any traffic that is transmitted over http:// is able to be snooped and recorded by anyone (not just the NSA). This includes your password and valuable session information necessary to impersonate you. So unless you want the dude at the coffee shop to be able to post blogs as you on your site, install an SSL certificate and encrypt all your traffic. Pantheon makes it easy to add SSLto a site and with a slight change to settings.php or the installation of the Secure Pages module you are rolling encrypted for all your traffic.

3. Audit Your Config for Security Problems 

Drupal allows a *lot* of things to be done in configuration which is one of its strengths, but that also opens up a lot of potential security problems. Make sure to carefully review your site’s configuration for security, especially your permission screen (the one with all the checkboxes) since a single mistake can cause lots of troubles. Additionally, make sure to run the very excellentSecurity Review Module which helps find security problems in your site’s configuration.

4. Audit Your Code for Security Problems

Even great developers can write insecure code, so it’s important to read up on how to write secure code and review your existing code for potential issues. Automatic tools like Coder Module can help you find SQL injection problems and careful review of your hook_menu() and use of user_access() can help find access bypass problems. 

5. Watch Your Text Filtering and Input Formats

The secure handling of text is one of the most important things you can configure with respect to Drupal security. Although some sites need to allow certain users to have access to add content with complex HTML tags, making sure to properly filter the tags is important. Drupal Core provides some basic filtering and extension modules like Better Formats and WYSIWYG Filterhelp to improve the usability and efficiency of these processes. On a code level, making sure to use proper filter functions like check_plain() and filter_xss() is important to sanitize text input.

6. Harden Your Drupal Site with Additional Security Modules

While Drupal Core does a good job out of the box with security, there are lots of extension modules in Drupal Contrib that can help make your site even more secure. A full list is available on Drupal.org, but I would pay specific attention to the Paranoia Module which turns off the ability to run PHP from the UI and the Security Kit Module which prevents against versions of sophisticated attacks like Clickjacking and Cross Site Request Forgery.

7. Don’t Reuse Passwords

This isn’t really specific Drupal advice, but with all the public (and presumably private) data breaches recently a *lot* of passwords that people regularly use have been exposed. If you are using the same password on your Drupal site as you did on a site like Adobe.com or Gawker.com, it is trivial for an attacker to guess your password. If you want to see if your account has been compromised, check out https://shouldichangemypassword.com/. Be aware though, these are only *public* breeches and there are plenty of *private* breeches known only to certain people that can also expose your data. 

8. Consider Two Factor Authentication 

Ben over at Acquia® has been doing some great work with implementing Two Factor Authentication for Drupal through the TFA Module. This technique will be familar to fans of House of Cards, but on a technical level this module allows users to require confirmation by SMS (or other authentication sources) to log into a Drupal website which dramatically improves security since logging in as your user account requires both your password and your phone.

9. Understand the Drupal Security Team + Process

The Drupal Security Team is a group of volunteers who help to review Drupal code for security issues and coordinate fixing of reported problems. It is helpful to brush up on their process to learn specifics (i.e. they don’t review pre-release versions of modules or development copies of modules) and definitely check out the “How to Report a Security Issue" page for information on the process to report security problems you might find.