Taking Security Seriously

I've had good reason to think about security on my Drupal sites lately. This site and a few others were hacked recently. The result of the hacking was a script injected into both the generated pages and the RSS feeds of the site. I picked up on the hack pretty fast because the RSS feeds on the site were not behaving correctly and that broke something else that relies on the feeds to work. I also checked the site in Internet Explorer and things weren't displaying properly.

I spent about an hour investigating the issues before I realized that the site had been hacked for sure. One of the first things I did once I realized that the site had been hacked was that I took it offline. Whatever the script that had been injected into the site was doing it couldn't have been good. Then I took steps to correct the situation.

Since multiple sites were affected I assumed that somehow an FTP user password (which I thought was obscure enough) had been compromised. So I changed every password I could think of. Then I uploaded the latest version of Drupal to all of my sites. Next I checked the directories to see if there were any suspicious files remaining. Finally I checked the site RSS feeds and pages for signs of the script that I had found when I discovered the problems. It was only after taking those steps that I brought the sites back online.

The process was time consuming and painful enough for me to cause me to remember how important security is for any type of site you put up on the web. I should've known better since I've been caught by spammers before, but it's been a long time so I got a bit complacent.

I'd like to pass on some tips (and links to related modules) that can give you an idea of some of the security features to take advantage of when you're using Drupal.

Make passwords obscure and change them periodically. Do it on your Drupal sites and also for your FTP accounts. Drupal has a nice password security feature (pictured below) in D6 that provides guidance on the obscurity of your password.

Access Rules

Manage input formats to only allow basic HTML (and no files) for anonymous submissions. I'm using the Better Formats module to give full HTML access to authenticated users but only limited formatting options to anonymous posters. This prevents anonymous visitors from submitting malicious code to your site.

Stay current with module and core updates.  I know that updating can be a pain, especially if you run multiple sites, but think of the possible consequences. If you keep an eye on http://drupal.org/security you will know why staying current is so important. Better to spend an hour keeping your sites current then three getting them back online after an attack. Thankfully the Drupal Status report makes the task of knowing your site status a painless one

Drupal Status Report

I'm sure that there are many more great tips and modules that the community can offer up. So please feel free to add to the list in the (hopefully well protected) comments section.