This document provides tips and best practices for securing a Drupal site, including hardening servers, locking down access, using HTTPS, keeping software updated, encrypting sensitive data, reviewing logs, and questions from the presenter. Some key recommendations are to redirect all traffic to HTTPS, secure Drupal user 1, remove clues about Drupal from headers and files, use strong and unique passwords, and store backups and credentials securely offline. The presenter provides many module and tool recommendations for implementing security measures in Drupal.
2. You can get the slides at...
http://bit.ly/SecureYourSite
3. • @mattfarina on twitter
• Drupal.org UID 25701 (Over 8 Years)
• Co-Author of Drupal 7 Module Development
• Lead Engineer at HP Cloud
4. Did you hear, Adobe was hacked
http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/
5. A Picture Of The Internet
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever
6. 420,000 Hacked Linux Based Systems
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever
7. 71% attacked sites of orgs with less than 100 People
http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/
8. Scan port 22 (ssh) for the Internet in a day
http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html
16. Removing X-Powered-By Header
> curl -i -X HEAD https://drupal.org
...
X-Powered-By: PHP/5.3.27
...
; In your php.ini file set
expose_php = off
http://stackoverflow.com/questions/2661799/removing-x-powered-by
20. You can redirect to https via .htaccess
# Redirect when the request comes to http
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
44. Encrypted Field Modules
• Encrypted Settings Field
https://drupal.org/project/encset
• Field Encryption
https://drupal.org/project/field_encrypt
• Encrypted Text
https://drupal.org/project/encrypted_text
48. Using Guzzle
// A simple example
GuzzleHttpStaticClient::mount();
$response = Guzzle::get('http://guzzlephp.org');
// A little more complicated
$client = new GuzzleHttpClient('http://guzzlephp.org');
$request = $client->get('/');
$response = $request->send();