Home / Developer Tools / Documentation / ASU Best Practices / ASU Drupal Best Practices: Security

ASU Drupal Best Practices: Security

  1. Grant as little access as necessary. Be careful when assigning:
    • "administer permissions"
    • "administer filters"
    • "administer nodes"
    • "administer contenttypes"
    • "administer..."
  2. Create good passwords
  3. Set your file system permissions properly: http://drupal.org/node/244924
  4. Input Formats
    • Use the "Filtered HTML" setting in the editor which restricts HTML tags and attempts to prevent cross-site scripting (XSS) attacks or HTML Purifier module
    • Avoid tags that are dangerous (<script> etc.): http://drupal.org/node/224921
    • Use caution when allowing the PHP Input Format
  5. Write Secure Code: http://drupal.org/writing-secure-code
  6. If using Devel module, turn it off when not using it on the live site
  7. Subscribe to security announcements: http://drupal.org/security-team
  8. Report security issues in Drupal code to Drupal: http://drupal.org/security-team
  9. Report security issues for ASU sites to http://help.asu.edu
  10. Update site regularly
    • Update Status module (included in Drupal 6) can be used to notify admin when modules are out of date
  11. Use care when choosing contributed modules.
  12. Don't let anonymous users leave comments without something like captcha