The built-in Update Manager for updating through the web interface or installing modules in Drupal 7 has the ability to use SSH to connect to the host. More information is at the following URL http :// drupal. If not already using drush, this is a valuable tool to be on top of and easily patch any outstanding Drupal security updates. With drush, it is possible to do such tasks as clearing all Drupal caches, upgrade Drupal core and modules, apply database upgrades (similar to running update.php), enable/disable modules, and much more. If creating a custom theme, thoroughly test the theme in an installation with various web application scanners, either open source or commercial, that test for XSS or SQLi prior to deployment.ĭrush is the ultimate command line utility to manage Drupal. For example the following theme is susceptible to XSS as one illustration: http :// drupal. Even then, closely inspect the source to be vetted before launching the code live in a Drupal installation.ĭrupal XSS exploits through themes are not uncommon. Do not install themes found randomly on the internet only choose themes from Drupal's Download & Extend which have been recently maintained. However it is critical to inspect if the theme is currently being maintained for security updates. Often users will pick a theme that is 'pretty' or meets other cosmetic requirements. In choosing a Drupal theme, consider building upon or using a tested well used theme that has continued updates from the developer. Existing modules have been tested for the most part in a wide install base and have had more eyeballs on the code to check for security flaws.Ĭompletely remove any disabled modules from the server so as not to have any older vulnerable code live and present in web directories. Resist the temptation to develop or write custom email forms or other elements for Drupal, but rather look for existing well-established modules that are written to serve various purposes. Drupal 7 has built-in email notification for any outstanding module security updates as well to notify admins of pending updates. Īs of Drupal 7, every window in the Administration interface notifies of a pending Drupal Core update.ĭrupal module update announcements are available from. Keeping Drupal up-to-date is the fundamentally most important security consideration.ĭrupal security consists of three areas to maintain security updates:ĭrupal Core update announcements are available from. This is configurable in modules/user/user.module. Defaults are rate limiting for five failed attempts in a six hour window as well as rate limiting 50 failed attempts from one IP address per hour. This is also available in Drupal 6 via a module, but is now built in as functionality in Drupal 7.ĭrupal 7 now incorporates brute force login protection. Drupal 6 and prior stored user passwords in MD5 in the database which is now considered weak and easily crackable.ĭrupal 7 incorporates automated email notifications of any pending module or core security updates. Passwords in Drupal 7 are hashed with phpass, combining multiple rounds and salted hashes. Stronger security for stored user passwords Other Drupal 7 security benefits include: Updating is improved in Drupal 7, and is somewhat similar to the web-based updates that Wordpress users have been enjoying. This is perhaps what led to many sites putting off updates leading to many Drupal installations being compromised. With Drupal 6, applying updates for general maintenance was somewhat problematic and inconvenient. Drupal 6 security has been perceived as poor in large part because of many sites not updating Drupal core or any associated modules. This has unfortunately caused a delay in adoption of Drupal 7 as many sites rely on various contributed modules which in some cases have no Drupal 7 counterpart or only experimental versions still testing in Drupal 7.ĭrupal 7 finally includes the ability to update modules from the web interface. Because of core coding changes in Drupal 7, existing modules have to be re-written to support Drupal 7.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |