Drupal is a very popular content management system that has been widely adopted by government agencies, major businesses, social networks, and more. This talk focuses on the penetration tester's perspective of Drupal and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists.
Download the associated scripts, movies, and checklist here: https://github.com/gfoss/attacking-drupal
Security breaches are becoming more common in today’s world, from large vulnerable corporations being attacked to cyber attacks causing physical damage. With Drupal becoming increasingly more popular, it has become a perfect target for these automated attacks. Last year's SA-CORE-2014-005 vulnerability has demonstrated that hackers have learned how to take advantage of Drupal’s functionality to infect a site and remain unnoticed.
Site builders and maintainers have a large role to play in preventing these kinds of disasters. With a solid knowledge base of the most common security threats, developers can quickly identify those security issues and learn how to address them. In this webinar, learn about how to protect your Drupal site against security threats, with topics including:
- How Drupal can protect against DDoS attacks
- Configuration mistakes that make you vulnerable, and how to avoid them
- Fast updates: the single most important security element
Security improvements in Drupal 8
- Modules to enhance security and evaluating contributed module quality
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.
Drupal is a very popular content management system that has been widely adopted by government agencies, major businesses, social networks, and more. This talk focuses on the penetration tester's perspective of Drupal and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists.
Download the associated scripts, movies, and checklist here: https://github.com/gfoss/attacking-drupal
Security breaches are becoming more common in today’s world, from large vulnerable corporations being attacked to cyber attacks causing physical damage. With Drupal becoming increasingly more popular, it has become a perfect target for these automated attacks. Last year's SA-CORE-2014-005 vulnerability has demonstrated that hackers have learned how to take advantage of Drupal’s functionality to infect a site and remain unnoticed.
Site builders and maintainers have a large role to play in preventing these kinds of disasters. With a solid knowledge base of the most common security threats, developers can quickly identify those security issues and learn how to address them. In this webinar, learn about how to protect your Drupal site against security threats, with topics including:
- How Drupal can protect against DDoS attacks
- Configuration mistakes that make you vulnerable, and how to avoid them
- Fast updates: the single most important security element
Security improvements in Drupal 8
- Modules to enhance security and evaluating contributed module quality
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.
Browser Serving Your Web Application Security - NorthEast PHP 2017Philippe Gamache
One important concept in web application security is defense in depth. You protect your server, your network, your database and your application, but what about the user browser? Can it be done?
Yes! Several new technologies and protocols to assist security has been added to the browsers. Several should be added, activated and configure from your web server or web page. In this presentation we will explore these technologies and learn how to use them. You’ll learn about the Robots meta tags (for crawlers indexing), Browsing Compatibility, XSS and Clickjaking Protection, SSL/TLS Control, and Content Security Policy.
In this presentation you will learn about how to secure your WordPress website.
In first part I have covered reasons why your WordPress website get hacked/tampered and in second part I have explained various security pre-caution that you can take to make your WordPress website more secure. I have categorized checklist so it will be easy for any one to understand and follow it. Hope it will help you better. Best of luck for your website security.
10 things every developer should know about their database to run word press ...Otto Kekäläinen
Talk from WordCamp Barcelona 2018
https://2018.barcelona.wordcamp.org/session/10-things-every-developer-should-know-about-their-database-to-run-wordpress-optimally/
The database is perhaps the most important piece of your infrastructure. The database contains all your important e-commerce data and must be kept secured. The database performance often defines the overall performance of your WordPress site. In this talk I the most important things every WordPress developer should know about MariaDB/MySQL to be able to build and operate their site optimally.
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
Presentation slides from Vladimir Lasky's talk on how to harden your WordPress website against would-be attackers and avoid inadvertently creating security holes.
Contains various tips and recommendations for off-the-shelf plugins to mitigate common security threats,
Presented on Sunday 6th November at WordCamp Gold Coast 2011.
Automatic testing and quality assurance for WordPress plugins and themesOtto Kekäläinen
Talk given at WP Helsinki Meetup 7.11.2018
See also:
* https://developer.wordpress.org/themes
* https://developer.wordpress.org/plugins
* https://travis-ci.org/Seravo
* https://seravo.com/blog/coding-wordpress-in-style-with-phpcs/
Drupal Security Basics for the DrupalJax January MeetupChris Hales
Basic security presentation for the Jacksonville, FL Drupal user group on how Drupal deals with the OWASP top 10 security risks of 2013.
I'l be expanding this to include additional details and examples in the next version.
WordPress Security - A Hacker's Guide - WordCamp 2019 IslamabadRF Studio
RFStudio's Co-Founder Max (Hassan) Raza delivered a detailed session with demonstrations around WordPress security and shared experiences with WordCamp community about security and how to make WordPress more secure together.
In this quality assurance training session, you will learn Selenium WebDriver. Topics covered in this course are:
• Selenium Components
• Introduction to Web Driver
• Downloading and Configuring Web Driver with Eclipse
• Web Driver Methods
• Web Driver Locators
• Interacting with different UI elements
• Synchronization, Alert and multiple window
• Dynamic Menus
• Cookie Management
• Launching different web browsers
• Introduction to Test NG
TO know more, visit this link: https://www.mindsmapped.com/courses/quality-assurance/get-practical-training-on-software-testing-quality-assurance-qa/
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
During the session we will go through different methods of exploiting file upload pages in order to trigger Remote Code Execution, SQL Injection, Directory Traversal, DOS, Cross Site Scripting and else of web application vulnerabilities with demo codes. Also, we will see things from both Developers and Attackers side. What are the protections done by Developers to mitigate file upload issues by validating File Name, File Content-Type, actual File Content and how to bypass it All using 15 Technique!
WordPress Security Updated - NYC Meetup 2009Brad Williams
My updated WordPress Security presentation. Updated with more tips and information! This is a must read to keep your WordPress website safe!
Presented at the NYC WordPress Meetup on September 15, 2009
From previously developed a simple web application (based on X-Files tv series) the aim will be to set both user authentication and authorization of web resources both for themselves and for the invocation of business components. It’ll be established a minimum security settings, which will be completed with more sophisticated mechanisms. All of these emphasizing the novelties of version 3.x of Spring Security as the use of SPEL, Annotations, Namespace, Java config, etc. Attendees will see many of the features that implements Spring Security to set security mechanisms within JEE applications. The tools to be used are Spring Tool Suite 3.4, Springframework 3.2, Maven 3 and Spring Tc Server 2.9.
Have you secured your WordPress blog against hackers who are out to use your site for illicit purposes? If not, you risk losing your content, your rankings, maybe even your business. Implement the tips in this presentation to confound anyone who tries to hack your site!
Top 20 mistakes you will make on your 1st Drupal projectIztok Smolic
Working as a Drupal theming/development consultant on many "rescue" mission projects I seen many different mistakes web developers do when facing with Drupal for the first time.
Browser Serving Your Web Application Security - NorthEast PHP 2017Philippe Gamache
One important concept in web application security is defense in depth. You protect your server, your network, your database and your application, but what about the user browser? Can it be done?
Yes! Several new technologies and protocols to assist security has been added to the browsers. Several should be added, activated and configure from your web server or web page. In this presentation we will explore these technologies and learn how to use them. You’ll learn about the Robots meta tags (for crawlers indexing), Browsing Compatibility, XSS and Clickjaking Protection, SSL/TLS Control, and Content Security Policy.
In this presentation you will learn about how to secure your WordPress website.
In first part I have covered reasons why your WordPress website get hacked/tampered and in second part I have explained various security pre-caution that you can take to make your WordPress website more secure. I have categorized checklist so it will be easy for any one to understand and follow it. Hope it will help you better. Best of luck for your website security.
10 things every developer should know about their database to run word press ...Otto Kekäläinen
Talk from WordCamp Barcelona 2018
https://2018.barcelona.wordcamp.org/session/10-things-every-developer-should-know-about-their-database-to-run-wordpress-optimally/
The database is perhaps the most important piece of your infrastructure. The database contains all your important e-commerce data and must be kept secured. The database performance often defines the overall performance of your WordPress site. In this talk I the most important things every WordPress developer should know about MariaDB/MySQL to be able to build and operate their site optimally.
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
Presentation slides from Vladimir Lasky's talk on how to harden your WordPress website against would-be attackers and avoid inadvertently creating security holes.
Contains various tips and recommendations for off-the-shelf plugins to mitigate common security threats,
Presented on Sunday 6th November at WordCamp Gold Coast 2011.
Automatic testing and quality assurance for WordPress plugins and themesOtto Kekäläinen
Talk given at WP Helsinki Meetup 7.11.2018
See also:
* https://developer.wordpress.org/themes
* https://developer.wordpress.org/plugins
* https://travis-ci.org/Seravo
* https://seravo.com/blog/coding-wordpress-in-style-with-phpcs/
Drupal Security Basics for the DrupalJax January MeetupChris Hales
Basic security presentation for the Jacksonville, FL Drupal user group on how Drupal deals with the OWASP top 10 security risks of 2013.
I'l be expanding this to include additional details and examples in the next version.
WordPress Security - A Hacker's Guide - WordCamp 2019 IslamabadRF Studio
RFStudio's Co-Founder Max (Hassan) Raza delivered a detailed session with demonstrations around WordPress security and shared experiences with WordCamp community about security and how to make WordPress more secure together.
In this quality assurance training session, you will learn Selenium WebDriver. Topics covered in this course are:
• Selenium Components
• Introduction to Web Driver
• Downloading and Configuring Web Driver with Eclipse
• Web Driver Methods
• Web Driver Locators
• Interacting with different UI elements
• Synchronization, Alert and multiple window
• Dynamic Menus
• Cookie Management
• Launching different web browsers
• Introduction to Test NG
TO know more, visit this link: https://www.mindsmapped.com/courses/quality-assurance/get-practical-training-on-software-testing-quality-assurance-qa/
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
During the session we will go through different methods of exploiting file upload pages in order to trigger Remote Code Execution, SQL Injection, Directory Traversal, DOS, Cross Site Scripting and else of web application vulnerabilities with demo codes. Also, we will see things from both Developers and Attackers side. What are the protections done by Developers to mitigate file upload issues by validating File Name, File Content-Type, actual File Content and how to bypass it All using 15 Technique!
WordPress Security Updated - NYC Meetup 2009Brad Williams
My updated WordPress Security presentation. Updated with more tips and information! This is a must read to keep your WordPress website safe!
Presented at the NYC WordPress Meetup on September 15, 2009
From previously developed a simple web application (based on X-Files tv series) the aim will be to set both user authentication and authorization of web resources both for themselves and for the invocation of business components. It’ll be established a minimum security settings, which will be completed with more sophisticated mechanisms. All of these emphasizing the novelties of version 3.x of Spring Security as the use of SPEL, Annotations, Namespace, Java config, etc. Attendees will see many of the features that implements Spring Security to set security mechanisms within JEE applications. The tools to be used are Spring Tool Suite 3.4, Springframework 3.2, Maven 3 and Spring Tc Server 2.9.
Have you secured your WordPress blog against hackers who are out to use your site for illicit purposes? If not, you risk losing your content, your rankings, maybe even your business. Implement the tips in this presentation to confound anyone who tries to hack your site!
Top 20 mistakes you will make on your 1st Drupal projectIztok Smolic
Working as a Drupal theming/development consultant on many "rescue" mission projects I seen many different mistakes web developers do when facing with Drupal for the first time.
Becoming a drupal master builder - Given at Drupal Camp London 2016
I've been building Drupal sites for a number of years and have a broad experience building Drupal sites with various levels of complexity. I often work with other agencies to build Drupal sites or to migrate existing sites and as a result I will often see some very common mistakes and errors that shouldn't be happening. Due to Drupal's popularity I also see Drupal sites in the wild and can clearly see the same mistakes going on there as well.
During this talk I'll show some basic site building tips as well as some more complex and technical strategies that will make your Drupal sites better and more maintainable. Rather than just show you what to do, I'll also be explaining why doing those things are important and how developers and their websites will benefit from them. Although I'll be mainly concentrating on Drupal 7, some of these techniques are also applicable to Drupal 8.
Learn about best practices for developing Moodle code from custom plugins to submitting bug fixes for core Moodle code. Topics covered will include:
Overview of Moodle plugin systems and available API's
Working with the Moodle tracker
Peer review process
Maintaining a custom plugin using Github
Submitting core patches / bug fixes to Moodle HQ
Walks through the top 8 improvements coming to Drupal 8, including videos and code samples to demonstrate "before vs. after."
Given to the @DrupalNS meet up in Bedford, Nova Scotia on July 28, 2014.
Easy Drupal Project Deployment With Features Module & DrushQArea
This is a presentation for webinar QArea has held about Drupal deployment as well as Features and Drush modules (http://qarea.com/articles/qarea-webinars-drupal-hit-video). There are also many useful commands and tricks & tips any developer will be able of finding in it.
Why would a developer whose framework of preference is Symfony2 pay attention to Drupal 8?
A general overview of Drupal, including pros and cons of using it.
Prepared and presented by Yaroslav Doroshchuk, CTO, Grossum. The presentation took place at DrupalCamp Kyiv 2014.
Similar to Securing Drupal 7: Do not get Hacked or Spammed to death! (20)
Build your Chunks! Explain real life to Drupal in its own Words (at BADCamp 2...Adelle Frank
Want to build a site, but are confused by what Drupal means when it says Node, Block, or Page? Learn how to talk with the friendly Drupal robot using language it knows. Win PRIZES! Become an ambassador to the world of machines, and build even better Drupal websites!
We will:
define some of the most confusing Drupal words
explore how these words relate within our Drupal site-building universe
draw a big picture (or Model) of that universe
learn to translate our world into chunks of data that can live in Drupal-Land
This session uses NO CODE and is designed for Beginners, but people of all skill levels and interests are welcome. Come help make our Drupal world easier to understand!
Session inspired by DrupalCamp Atlanta 2014, especially Annika Garbers' session and by the awesome participants in my Plan your Chunks session.
Plan your Chunks! Future-proofing Your Information Architecture with Drupal ...Adelle Frank
Master the tools in your Drupal site-building arsenal to future-proof your information design! See sloppy blobs battle discrete chunks - and lose! Learn basic concepts AND expert tips for organizing your website. Uncover secret strategies for making findable, usable content. Some of the topics covered include the importance of planning your names, entities versus content types, why NOT to share fields, always being multilingual, when and why to use taxonomy, connecting with entity reference, and more! No Drupal knowledge required, and a number of these insights will apply to ANY Web project you are planning.
Plan your Chunks! Win the Future with Information Architecture NOWAdelle Frank
Master the tools in your Drupal site-building arsenal! Learn basic concepts AND expert tips for organizing Drupal.
You will:
Uncover secret strategies for making findable, usable content.
Future-proof your information design.
See sloppy blobs battle discrete chunks…and lose.
Some of the topics I cover include:
entities versus content types
why NOT to share fields
always be multilingual
when and why to use taxonomy
connecting with entity reference
the importance of planning your names
...and more!
Feeds is my Friend: a Drupal 6 to 7 Migration storyAdelle Frank
Slides used at interactive presentation on how easy the Feeds module can make your migration from a Drupal 6 site to a Drupal 7 site. Presented for the GT Build day on December 5, 2013 (more info available at: http://adellefrank.com/node/428).
Turbo-charge your Views power with add-on modules! Win PRIZES! Defeat common points of Views confusion! CONTROL how your Drupal content displays! SMALL PRINT DISCLAIMERS: No coding required. A rollicking good time is not guaranteed (but it's highly likely). Novice and Intermediate Drupal users welcome.
Catalyzing Drupal collaboration & coding at your institutionAdelle Frank
Session given at http://usg.edu/rock_eagle on October 25, 2012. DESCRIPTION: While a community of Drupal aficionados has existed at Georgia Tech, it had not been active for a while. This session discusses how we encouraged every level of Drupalista in our community to collaborate and share in the coding and configuring tasks that come with using Drupal in such a de-centralized higher ed environment. And, don't worry, we also share our code and configuration documentation as well!
How to publish your university catalog and class schedules online using the C...Adelle Frank
Over the last 2 years, Emory College has used Hannon Hill's Cascade Server cms to publish our academic catalog and semester class schedules to the web. Learn the trials, tribulations, and successes we've encountered along the way with data definitions, indexing, and web services.
Presented on September 13, 2010 at the Cascade Server User's Conference in Atlanta, Georgia.
Welcome to the Program Your Destiny course. In this course, we will be learning the technology of personal transformation, neuroassociative conditioning (NAC) as pioneered by Tony Robbins. NAC is used to deprogram negative neuroassociations that are causing approach avoidance and instead reprogram yourself with positive neuroassociations that lead to being approach automatic. In doing so, you change your destiny, moving towards unlocking the hypersocial self within, the true self free from fear and operating from a place of personal power and love.
Securing Drupal 7: Do not get Hacked or Spammed to death!
1. Securing Drupal 7:
Don’t get Hacked or
Spammed to death!
Adelle Frank
Friday, February 15, 2013
GT Drupal Users Group
2. Who is the presentation for?
• Site builders
• NOT Server admins
• NOT module/theme coders.
– For secure coding tips, see:
http://drupal.org/writing-secure-code
2
3. Places that need securing in Drupal
1. YOUR Code
2. Drupal Core
3. Drupal Contrib(uted) Themes/Modules
4. External Libraries & Code
5. Editor Support
6. Server & Monitoring
3
4. 1. YOUR Code Choices
• http://drupal.org/writing-secure-code
• Be careful if you write a module or make code
changes to a Theme!!
– Separate/Comment any changes to Code.
– Don't hack CORE!
• Don't install non-recommended modules or libraries
OR THEMES
4
5. 2. Drupal Core: Updating
• Update manager (module ON & configured for
security emails admin/reports/updates/settings)
• Apply every security patch after backing up
EVERYTHING
– module updates are EASY in Drupal 7
– Installatron makes CORE updates easier (but MUST
backup .htaccess and robots.txt).
http://drupal.gatech.edu/wiki/importing-existing-site-insta
• http://drupal.org/project/security_review (module)
5
6. 2. Drupal Core: Some module settings
• PHP filter (module OFF)
• Tracker (module OFF, unless have LOTS of users
or sensitive data)
• Comments (module OFF, unless have use case,
and will require protective measures)
• Error message display (NONE/OFF)
admin/config/development/logging, but keep ALL.
• File system (admin/config/media/file-system):
private?
• Database logging (module ON, instead of Syslog)
6
7. 2. Drupal Core: User accounts
• admin/config/people/accounts & admin/people
• Disable User #1 (& masquerade) in Drupal 7 b/c not
needed, give self "administer software updates”
• Choose: "Disable the account and keep its content.”
b/c deleting users who have created content can
lead to access bypass
• Only Admins can register accounts.
• OFF: Enable personal contact form by default
• OFF: Enable signatures (b/c applies to ALL)
• OFF: Enable user pictures (b/c applies to ALL)
7
8. 2. Drupal Core: Permissions
• admin/people/permissions
• Only give ANONYMOUS & AUTHENTICATED
“View published content”, add more if NEEDED.
• Only Developer/SuperAdmin gets "Administer...”
• (Possible) Exception. Might give EDITORS
"Administer” for: Blocks, Comments, Menus.
• Contrib Modules for fine grained permissions:
– override node options,
– role delegation or role assign
– field permissions, etc.
8
9. 2. Drupal Core: Filters
• http://drupal.org/node/224921
• Filter (module ON) = Text input formats
• Do NOT allow these tags: SCRIPT, IMG, IFRAME,
EMBED, OBJECT, INPUT, LINK, STYLE, META,
FRAMESET, DIV, SPAN, BASE, TABLE, TR, TD
• ORDER of Filters (plain text for ALL at TOP)
• Filter Permissions (limit ANONYMOUS &
AUTHENTICATED to plain, give EDITOR basic)
– More filters details in Contrib. modules
9
10. 3. Contrib Modules & Themes
• Disable or un-install modules you are not using (UI
& Devel modules, like Masquerade). Regularly audit
sites for unused modules.
• Criteria for evaluating contrib (Erik Webb):
– supported version(s)
– maintainer reputation
– total usage
– number of open issues
– usage change over time
• Criteria 2: allows PHP execution? Some modules
that do are: Devel; CCK fields; Views; Webform
10
11. 3. Contrib: CAS and Captcha/Spamicide
• For GTaccount holders, CAS module (requiring GT
Logins for certain pages/forms) will usually be
sufficient to protect individual content types/forms
– admin/config/people/cas
– Redirection > Specific pages
• If ANONYMOUS users can Add content or can
Login, MUST HAVE Captcha + Spamicide
• Helpful Tool: StopSpamForum.com (esp if you
Block IPs in your Drupal site).
11
12. 3. Contrib: Editor & More Filters
• Because user content is dangerous, pay attention
to settings for editing and file uploading modules.
• Who can use IMCE to add files/images & which file
extensions are allowed? (profile)
• Who can use LinkIt to make a Link? (profile)
• Use WYSIWYG Filter to strip out unwanted code
• Limit buttons on CKEditor Toolbar
• Use Plain Text for ANONYMOUS users and on
most TextArea Fields.
12
13. 3. Contrib: Field permissions & privacy
• Create unique names for every field that holds
remotely-sensitive info. Why? Because permissions
are by FIELD NAME regardless of content type
– Example: field_user_address, if used on 2 different
forms, has the SAME permissions on both forms.
• Tip: Use bundle_copy module to make a generic
Content Type with pre-set fields & display settings
that are easy to alter & copy.
13
14. 3. Contrib: Fields, cont.
• Types of data NOT to store and NOT to share:
– FERPA student data not in directory (directory =
name, email, field/dept)
– HIPAA health-related
– Identity theft-prone (SSN, Birthdate, etc.)
• Types of permissions for fields and content types:
– create
– edit OWN; view OWN (might be safe)
– edit ANY; view ANY (editors or admins only)
– delete OWN; delete ANY (be careful, admins only)
14
15. 3. Contrib: Webform
• http://drupal.org/project/webform
• NOT good at fine-grained permissions
• Can have PHP execution vulnerabilities
• You have MUCH better better access control &
reporting options (Views), if you use Content Types,
instead.
• Content types are Safer, but harder to delegate to
editors for set up.
15
16. 3. Contrib: Views
• http://drupal.org/project/views
• Very popular, will be Core in Drupal 8.
• Allows you to report out on data in LOTs of ways
• Must take care with PERMISSIONS, esp by Role,
for each View, esp if any data is private or sensitive.
• Be careful not to allow PHP in arguments, unless
necessary.
16
17. 3. Contrib: Pathauto & Auto Label
• http://drupal.org/project/auto_entitylabel
– If hide Title field and auto create the Title, don't give
away private info in that Title.
• http://drupal.org/project/pathauto
– [user:name] not good default path for user URLs (will
show gtaccount)
– Do your content type auto aliases reveal too much
about content?
17
18. 4. External Libraries & Code
• HOW Can we: ?
– Regularly check libraries for security notices
(CKeditor, phpCAS, jquery.cycle, etc.).
– Audit 3rd party code for security holes (such as
superglobals like $_GET)
– Audit libraries’ example code or other 4th party
included packages.
– Discover unneeded code to remove from libraries
(and, of course, notate in README.txt file)
18
19. 5. Editor Support
• Training, especially security implications of:
– forms
– comments
– file types
– tag choices in HTML
• Regular audits of content + users
– every semester
– less files/revisions/people to look over if hacked
– less chance of un-used file/account being co-opted
19
20. 6. Server & Monitoring
• Not a good use of time = hide clues that a site runs
on Drupal (http://drupal.org/node/766404)
• Robots.txt (only works on good search engines)
• .htaccess (can limit to on-campus or VPN access,
Drupal already hides directories)
– RewriteCond %{REMOTE_ADDR} !^130.207.
– RewriteCond %{REMOTE_ADDR} !^128.61.
– RewriteCond %{REMOTE_ADDR} !^143.215.
– RewriteCond %{REMOTE_ADDR} !^192.93.8.
– RewriteRule ^.* http://site.gatech.edu/message.html
[R=301,L]
20
21. 6. Server & Monitoring, cont.
• HTTPS, instead of HTTP
• Securing file permissions and ownership
(settings.php, etc., http://drupal.org/node/244924)
• Regular BACKUPS (and diffs for comparison)
• Avoid installing multiple softwares on same server
(i.e. Wordpress AND Drupal)
• Avoid storing ANYTHING other than the Drupal
install in the web ROOT (httpdocs).
21