Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member
Drupal has a good reputation for security and it deserves it. Now, every piece of complex software has security issues, but the thing about Drupal is that it has an especially large and well-organized team to respond quickly when new problems appear. And it has well-established systems to help people like you and me fix them. This video reviews what those systems are and gives you additional tips to ensure that your site is safe. Now I mentioned that security team. Their home on the web is at drupal.org/security-team.
The advisories that they release are at drupal.org/security. Notice that this is for Drupal Core. If you want to keep track of any security advisories for Ccntributed projects, that is modules or themes, just click there and then Public service announcements is for less critical matters. You could come back to the web site to read these or if you would prefer to receive them in an RSS feed, each one of these pages has that available. And of course, you would subscribe to that in your mail program or any other way that you watch RSS feeds.
But let's say that you're not subscribed to that feed or you forget to read it. You will still find out about security issues in a couple of ways. One way that you'll be notified is by e-mail and you'll notice that when you first install your site. Now here I am on the last screen before finishing, where I put in the site name and username and so forth. At the bottom of that page we have this e-mail notifications check box. If you leave this box checked, and it is checked by default, you'll receive an e-mail message whenever there's an important security announcement about Drupal.
That message by the way will be sent to the super user's address. So make sure that you enter that correctly when you set up your site. The other way that you'll automatically find out about security issues is in your site itself. So let's go back to our site. Now, I've installed an older version of a certain module. And so Drupal has to tell me, hey, wait a second, the newer version is out. I will notice that when I start going to administrative pages, like when I click Modules and here it is. I see the warning saying, hey, there's a newer version. And then I click Available updates as it suggests and I can update that module if I like.
To learn how to do that and how to update Drupal itself, see the video "Updating Drupal." Okay. So your site is running the latest versions of Drupal and the contributed modules and themes. Let's talk about a few things you can do to avoid other kinds of security holes. The first one is to restrict registration. The control for that is under Configuration and Account Settings. As we scroll down, we see that you have a setting that allows only you to give people accounts or that requires your approval when someone applies for one.
We discussed these settings in the video on creating user accounts. Next, check users' roles and permissions from time to time to see if anybody is tried to get in who shouldn't. So let's go up to People and just look down our list. Ah, you see that name? That doesn't look right to me, so I might want to take a look and see what the e-mail address is or any other notices. Yeah, that looks obviously fake to me. So what I might do is I might send a note to that person saying, Hey, I see you joined my site, could you tell me a bit about yourself" and see if I get anything back.
And if not, I might decide to delete it or not. It's up to you. Along with individual users of course, you should take another look and make sure that everybody has the role that you really want them to have and that each of those roles has the permissions you want them to have. Now, the thing about restricting registration is that it can turn people off from your site. So I would like to suggest a module that can be set up automatically to increase access when people prove themselves trustworthy. It's called User Points and you'll find it at drupal.org/project/userpoints.
It's a little complicated to set up and decide how to promote people from role to role, but once you have it set up, it's really valuable. But let's get back to one more way to make your site more secure. The last one is to avoid the full HTML and PHP text formats. I demonstrated their dangers in an earlier video on using text formats to prevent damaging content. In short, anyone who can create content that has those text formats can inject unwanted content that's beyond your control and might even be able to take over your site completely.
We can see that by going to Add content and let's just say Article. This is the point of danger. If they can enter PHP code or full HTML, then you might be in trouble and the way to fix that is under Configuration > Text formats. Each one of these can be restricted by role, as you see here. That's a fairly brief overview of ways to stay on top of your site's security but there's a lot more to learn. And if you want to learn more, I recommend a book called Cracking Drupal. It's by Greg Knaddison, one of Drupal's key security personnel, and it goes into far more than I could ever hope to cover here.
Get unlimited access to all courses for just $25/month.Become a member
82 Video lessons · 101622 Viewers
61 Video lessons · 88377 Viewers
71 Video lessons · 72218 Viewers
56 Video lessons · 103969 Viewers
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.
Your file was successfully uploaded.