Reputation: 895
hardening drupal for a live deployment
Are there any special security measures to take when deploying a Drupal site to a production server?
For instance: I can imaging that we need to remove install.php from the root directory. Are there any more actions?
Or is there maybe a module available which checks the site for "world readiness"
Upvotes: 5
Views: 3761
Answers (6)
Reputation: 113
Here's an excellent rundown for Drupal 7: http://www.madirish.net/242.
Most of its suggestions are relevant to Drupal 6 as well.
Upvotes: 1
Reputation: 1133
Ideally you've tested your code for insecurities before deploying, but configuration can often be missed. There's a mode for analyzing your Drupal site for misconfiguration that would lead to vulnerabilities http://drupal.org/project/security_review
Security Review makes the following checks:
- Safe permissions on system files
- PHP in comments or nodes
- Whether error reporting is on
- Unsafe input formats
- If private files is on and if the files directory is outside webroot
- Allowed upload extensions
- Admin permissions granted to untrusted users
Upvotes: 2
Reputation: 21
all this answers make you stop thinking after your install is done - but software has a history and after installing drupal you have one more baby to watch - in drupal´s case watch VERY closely! This means you MUST subscribe to the drupal security mailing list and read all mails that are coming form there - be prepared to get many emails. It is good, that the drupal team is providing these informations fast, but it is sad that there are really too many of these mails, what might be related to drupals programming style. be prepared to get up more than once in the middle of the night to update your drupal installation because some extension developer never did understand, why input from the web must be sanitized (yes, these kind of security problems are still happening in the drupal world.) So "hardening" means "keeping up with updates", in drupals case these come quite often. Think about this if you have many sites and want to deploy to multiple servers - automatic deploymemts will help you save a lot of time.
Upvotes: 1
Reputation: 12177
The status report on http://your-site/admin/reports/status will tell you if anything is not quite right.
Under the performance admin page you can turn on various caching settings, but test your site with them turned on before deploying.
There is a book by greggles for securing drupal, which may be worth a look.
Upvotes: 5
Reputation: 35590
In addition to other suggestions, remove update.php also.
I'd also (re)move /scripts from the webroot
It's a minor thing, but you could remove the text files in the root of the distribution which leak the version number. Such as CHANGELOG.txt etc.
I don't remember how safely cron.php protects itself from flood-calling. You may want to look into whether it is worth limiting that to local-only or command-line-only access.
Ensure that .inc files are processed by PHP.
Upvotes: 1
Reputation: 9384
You should also remove the Theme registry rebuilding setting.
It rebuilds your theme registry on every pageload, so it makes your site very slow.
Upvotes: 0
Related Questions
- What improvements to do before deploying website?
- How to protect my source code when deployed?
- how to safely deploy stage database to live production database in magento
- Best practices for Magento Deployment
- how to "lock" live site when doing (phing) deployment
- Building a very secure CMS
- deploying drupal on live server
- deploying changes on a living drupal site
- Managing a rapidly growing web site
- deploying WAMP -> live site - any random tips?