Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member
The best site should be protected with the best security. So let's take a look at some steps you can take from the very beginning to ensure that you have complete control over who can access and change your content. We won't go into how to configure user roles within Drupal in this video. We will do that in another video. But a little bit of planning now will save you a lot of meddling about when that time comes and could prevent some disastrous security errors. When you run a Drupal site, you will be concerned with security on three levels. First, the server, which contains all the core programs that run Drupal, any additional programs you have added, such as modules and any custom programming that you created. Server security is especially important because some configuration files store passwords in plain text. If your server security is bad, someone might be able to break in and look at those passwords without you ever knowing that it happened. MySQL contains virtually all of the content of your site. If your MySQL security is improperly set, an attacker could change the site's content, including matters relating to your user's identities. With full access to the MySQL database, the attacker can also change user passwords effectively giving them full access while removing yours.
Finally, we have Drupal security, flaws in which can cause very similar effects to flaws in MySQL security because really, Drupal is essentially just a nice user interface for the database and the web server. So while it would take a MySQL expert to cause particular vandalism through MySQL security flaws, even a novice attacker with full Drupal access could change content and passwords easily and efficiently. So let's take a look at Drupal security. In short, here's what you need to know.
As it's installed by default, Drupal security is user based, that is, you categorize users as being members of a group and set limits on what members of that group can do. Among the users, there is one super user. That's the administrator that you created when you first set up Drupal. That one has the ID of 1, if you go into the MySQL database. The second part of Drupal security is the two groups that are automatically built in, one is called Anonymous, the other one is called Authenticated.
Authenticated users are all those who have signed up for your site, while Anonymous users are those who just happened to be browsing it without signing in. Finally, Drupal security allows you add more groups as you need them and you probably will do that if you have a collaborative site. So for example, you may have one group that's Editors and one group that's Writers and another group that's Graphic Designers each one of which can only affect their particular area. There are other ways to controlled user access. Most important however, is the permissions administration screen. You get to that screen by going to Administer and then scrolling down to Permissions. Here you see all of the different kinds of permissions that you can set. Each one of these lines is a different sort of permission and each one of the columns is a different sort of user. As you can see, you have your two built-in users here, Anonymous who have not signed in and Authenticated, who have. As we scroll down, there is a nice little trick here that Anonymous and Authenticated stays at the top, so you always know which column you are working with. That's new in Drupal 6 by the way.
By default, all users can access content, however that's pretty much it. So anytime you add an additional module or want to give permission to your Authenticated users to do something, you have to give them that permission specifically by turning it ON with a checkbox and then click on Save permissions. Another way that you can change Permissions is to go in to Administer and then instead of seeing it by Task, see it by Module. In each one of these groups, you will see a Configure permissions, which will bring you specifically to the part of that permission screen that deals with that particular Module. For example, Block, let's click on Configure permissions and it automatically jumps down to the Blocks area, which has two different things that can be set. Besides giving you ways to control access through the permission screen, Drupal also offers some limited ways of looking at access logs, which can be useful for tracking attacks. For example, a series of failed login attempts in very close succession could be a sign that someone is using an automated program to guess at your users passwords. Let's go and take a look at some of those reports. Go to Administer and then scroll down to Reports and here you can see Recent Log Entries which is everything. If there have been any Access Denied Errors, you can see those and then if people happen to go to pages that don't exist, you can even see those. Let's take a look at log entries here. This is in a reverse chronological order, so the most recent ones are at the top. But you could change that by clicking on any of these highlighted columns. For example, to sort by type, click here and then to sort in the opposite direction, that is from Z to A, you would click again. Let's go back to date and then click again to see it again from most recent to least recent. In addition, you can filter these log messages, for example, only to show those things that were an emergency level or of another high level. If you hold down the Shift key, for example, we can see everything from warning on up and then click Filter. That cuts out a lot of the noise that might otherwise distract you.
Finally, we should mention of some parts of Drupal that are particularly vulnerable to attacks. First of all, any third party modules, which were programmed by individuals, and then contributed to the Drupal project, they tend not to have as much oversight as the main Drupal project which of course, has dozens of people looking at it at any one time. Secondly, PHP and MySQL issues are always popping up and this is much larger than Drupal. It's a good idea for Drupal administrators to keep an eye on these matters as well although, if you follow the Drupal news, they will usually report any that affect Drupal. Finally, most important to watch out for is good old social engineering and by that, I mean getting e-mails that say, I am your administrator, give me your password or anything else that's basically tricking your users.
As always, your main source of information about Drupal should be drupal.org specifically for security purposes, drupal.org/security. On drupal.org/security page, you will see a list of advisories in reverse chronological order. So the most recent show up at the top. This video briefly discusses measures to protect the very top level, that is to say, Drupal itself. But then again, your Drupal installation is available to everybody on the internet, if you make it public. Fortunately, a knowledgeable application of Drupal's user based security systems is enough to stop most attacks.
Get unlimited access to all courses for just $25/month.Become a member
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.
Your file was successfully uploaded.