hardening drupal for a live deployment

Question

Are there any special security measures to take when deploying a Drupal site to a production server?

For instance: I can imaging that we need to remove install.php from the root directory. Are there any more actions?

Or is there maybe a module available which checks the site for "world readiness"

Answer 1

The status report on http://your-site/admin/reports/status will tell you if anything is not quite right.

Under the performance admin page you can turn on various caching settings, but test your site with them turned on before deploying.

There is a book by greggles for securing drupal, which may be worth a look.

Answer 2

Ideally you've tested your code for insecurities before deploying, but configuration can often be missed. There's a mode for analyzing your Drupal site for misconfiguration that would lead to vulnerabilities http://drupal.org/project/security_review

Security Review makes the following checks:

• Safe permissions on system files
• PHP in comments or nodes
• Whether error reporting is on
• Unsafe input formats
• If private files is on and if the files directory is outside webroot
• Allowed upload extensions
• Admin permissions granted to untrusted users

Answer 3

In addition to other suggestions, remove update.php also.

I'd also (re)move /scripts from the webroot

It's a minor thing, but you could remove the text files in the root of the distribution which leak the version number. Such as CHANGELOG.txt etc.

I don't remember how safely cron.php protects itself from flood-calling. You may want to look into whether it is worth limiting that to local-only or command-line-only access.

Ensure that .inc files are processed by PHP.

Answer 4

all this answers make you stop thinking after your install is done - but software has a history and after installing drupal you have one more baby to watch - in drupal´s case watch VERY closely! This means you MUST subscribe to the drupal security mailing list and read all mails that are coming form there - be prepared to get many emails. It is good, that the drupal team is providing these informations fast, but it is sad that there are really too many of these mails, what might be related to drupals programming style. be prepared to get up more than once in the middle of the night to update your drupal installation because some extension developer never did understand, why input from the web must be sanitized (yes, these kind of security problems are still happening in the drupal world.) So "hardening" means "keeping up with updates", in drupals case these come quite often. Think about this if you have many sites and want to deploy to multiple servers - automatic deploymemts will help you save a lot of time.

Answer 5

Here's an excellent rundown for Drupal 7: http://www.madirish.net/242.

Most of its suggestions are relevant to Drupal 6 as well.