fromAugust 2012

My Dad, the Drupal Security Expert

Old Lessons for a New Problem

By now, you’ve no doubt been marinated in technical articles about security, to the point of being pickled in terminology and saucy advice. It’s too much! With all due respect to my fellow writers, most of what you need to know about security for your Drupal site you have already learned from your dad (or mom or granddad...) like I did, even though my dad never learned to use a computer, never heard of Drupal

Magic? No, not really; Dad wasn’t the least bit clairvoyant. What he had was a large body of advice, and that advice extends to the topic at hand, just as house construction is wonderfully analogous to web site building.

So, let me share some of those gems with you. I suspect you’ve heard them before, but we’ll breathe new life into them, like a movie version of "Hamlet."


Don't run with scissors in your hand. I.e., don't perform security operations or make security-related decisions while drunk, sleep-deprived, or distracted. It can lead to the kind of mistakes that slapping your forehead and saying d’oh won’t fix.


Don't tug on Superman's cape, don’t spit into the wind – okay, you caught me…my dad only used half of that (he didn’t spit). Don't advertise the secureness of your site. The bad guys are way smarter than we are. If the Pentagon can’t keep them out, then don’t dare them to breach your site.


Keep your doors locked — front door, back door, all doors. Use strong passwords, network protection, etc.; not everyone who claims to be your friend really is; and spend time planning your user roles and permissions.


Don’t pick up hitchhikers. Invest time in reviewing your file system permissions; one little file with 777 permissions can result in all of your PHP files becoming corrupted, or worse. See


Be careful of the company you keep. Yo, don’t give carte-blanche access to every developer working with you. Remember (thanks, Dad!), loose lips sink ships — the only sure way too keep a secret is for you to be the only one who knows it.


Don't let strangers into your home. Protect the site from injection attacks; scrub any data that comes from the user — it might contain JavaScript, PHP, SQL, or other things designed to damage or destabilize the site.


If it seems too good to be true, it probably is. Beware effusive comments; they often come with HTML built in, or links to sites you don’t want your site linking to.


Common sense is the least common thing. Don't depend on others sharing your diligence.


Ignorance is bliss, but bliss is fleeting. Regularly review Watchdog and the access and error logs. Keep at least one eye open for attempts to penetrate your defenses.


Don't play in the grass until you check it for snakes. Your hosting company should meet some criteria, just like any service or product you purchase, and one criterion should be how they will attempt to protect you. Make sure they give you access to the tools you need to safeguard the site, such as permissions, SSH, and logs. Hackers can get access to your site by hacking another on the same server. And, as my editor reminded me, a great place to start is knowing how many (and which) characters they allow in a password, and whether they do anything to prevent brute force attempts to crack the passwords.

I hope you found these helpful. Oh, I almost forgot. There is one more:


Clean your room or you’re grounded! Secure your site, bud — now!