tags:

views:

311

answers:

4
+4  Q: 

hardening drupal for a live deployment

Are there any special security measures to take when deploying a Drupal site to a production server?

For instance: I can imaging that we need to remove install.php from the root directory. Are there any more actions?

Or is there maybe a module available which checks the site for "world readiness"

+1  A: 

You should also remove the Theme registry rebuilding setting.

It rebuilds your theme registry on every pageload, so it makes your site very slow.

Niels  2009-08-20 14:11:53
That setting is off by default.
ceejayoz  2009-08-20 14:56:19
+1  A: 

In addition to other suggestions, remove update.php also.

I'd also (re)move /scripts from the webroot

It's a minor thing, but you could remove the text files in the root of the distribution which leak the version number. Such as CHANGELOG.txt etc.

I don't remember how safely cron.php protects itself from flood-calling. You may want to look into whether it is worth limiting that to local-only or command-line-only access.

Ensure that .inc files are processed by PHP.

Cheekysoft  2009-08-20 15:39:58
We've never found it necessary to remove update.php - it's restricted from being used by anyone but the admin user 0, and if a hacker has access to that, well, you're in trouble.You don't need to move or remove any of the files when installing drupal, and the problem with doing this is that when you upgrade Drupal to the next security release, you may end up with files in two places, with the confusion and errors that would cause.
John Fiala  2009-08-25 01:48:50
The question was about security, not ease of install. A layered approach to security is always a good idea. How far you take that is up to you. You are certainly right in saying that you need to re-examine the fileset on each upgrade. But there are few good reasons to leave executable files that you don't need hanging around in the webroot. It's all about limiting the attack surface, should an unknown vulnerability be introduced in any (perhaps a different) application.
Cheekysoft  2009-08-25 09:11:59
+1 for attending to minor things like version leakage and the notion of layered security.
Omniwombat  2009-08-25 20:28:53
+4  A: 

The status report on http://your-site/admin/reports/status will tell you if anything is not quite right.

Under the performance admin page you can turn on various caching settings, but test your site with them turned on before deploying.

There is a book by greggles for securing drupal, which may be worth a look.

Jeremy French  2009-08-20 15:42:31
Yes, this. Make sure the admin password is some gobblygook, not something people will remember, and suggest the client not use it unless absolutely necessary. Also make sure that your database settings are such that it only accepts localhost connections, and have a similarly random password for that connection as well.
John Fiala  2009-08-25 01:50:12
A: 

all this answers make you stop thinking after your install is done - but software has a history and after installing drupal you have one more baby to watch - in drupal´s case watch VERY closely! This means you MUST subscribe to the drupal security mailing list and read all mails that are coming form there - be prepared to get many emails. It is good, that the drupal team is providing these informations fast, but it is sad that there are really too many of these mails, what might be related to drupals programming style. be prepared to get up more than once in the middle of the night to update your drupal installation because some extension developer never did understand, why input from the web must be sanitized (yes, these kind of security problems are still happening in the drupal world.) So "hardening" means "keeping up with updates", in drupals case these come quite often. Think about this if you have many sites and want to deploy to multiple servers - automatic deploymemts will help you save a lot of time.

Aborto Virtuale de la Veritano  2010-06-28 23:53:32

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security