You are here

How to secure your Drupal site

When you create a website you spend lot of time and effort in creating it.It would be very bad if the site got now i am going to tell you how make your drupal site secure.

First of all install security review module from
This module runs various checks which helps you to know if all things are configured for your site correctly or not.By this module you get a checklist of errors by the help of this you can take steps to rectify the errors.

Now here are some tips for making your site secure

Untrusted roles should not have administrative or trusted Drupal permissions.

Untrusted roles are like anonymous users. You should always check the permissions on your site and make your that no untrusted role could do administrative tasks

Errors should not be written to the screen.

As a form of hardening your site you should avoid information disclosure. Drupal by default prints errors to the screen and writes them to the log. Error messages disclose the full path to the file where the error occured.

Make sure PHP files in the Drupal files directory cannot be executed.

The Drupal files directory is for user-uploaded files and by default provides some protection against a malicious user executing arbitrary PHP code against your site

Make sure untrusted roles cannot add php or any other scripting code in their posts

You should check that untrusted roles can only use plain text and filtered html format so that they cannot ad dangerous code to your site.

Sensitive temporary files

Some file editors create temporary copies of a file that can be left on the file system. A copy of a sensitive file like Drupal's settings.php may be readable by a malicious user who could use that information to further attack a always try to use a text editor which donot create temporary files.

Check allowed upload extensions

File and image fields allow for uploaded files. Some extensions are considered dangerous because the files can be evaluated and then executued in the browser. A malicious user could use this opening to gain control of your always check the file extensions you have allowed the user to upload.

Check the files permissions of your drupal installation

here are the correct permissions for your drupal directory.Run the commands given below

  1. chmod 755 /drupalroot

Go inside drupal directory and run

  1. find . -type d -exec sudo chmod 755 '{}' \;
  2. find . -type f -exec sudo chmod 644 '{}' \;
  3. sudo chmod 777 -R sites/default/files/
  4. sudo chmod 444 sites/default/settings.php

Following all the above steps will make sure that your site is very secure now. These steps do not guarantee that your site is 100% secure but it makes sure that your site is secure from various hacks.

Blog Tags: