Breaking and entering into websites for malicious purposes has been and will continue to be a big problem. Particularly with database-driven content management systems such as Drupal and WordPress where known vulnerabilities exist, the risk and probability of intrusion and disruption is high. The question is not if, but when, your site will be hacked. All you have to do is watch the security advisories on sites like Drupal.org/security and WordPress.org to see and appreciate the number of threats and how the open source community rallies against these threats. There are multiple vulnerabilities and critical core patches that need constant updating.
When a website is hacked it is, at a minimum, an inconvenience. It can also be embarrassing, destabilizing, destructive, and costly to repair and restore. It could disrupt your entire organization and workflow if your organization depends on your website being up and running 24/7. In the long run, disaster prevention is less costly and less stressful than disaster recovery. So, we should lean forward and be proactive. There are several layers of defense that can be taken if you want to be proactive in mitigating risk and disaster recovery planning, including;
- Managed hosting. There are a few basic types of hosting companies and services including; grid hosting, shared hosting, virtual private server, managed hosting, and dedicated hosting. Some people liken the hosting options to living in a mid-rise apartment to living in a townhouse to living in a single family home. Of course, there are also extended options ranging from sleeping under a bridge to living in an island estate. The cheapest hosting options are probably the riskiest. Anything less than $10/month falls under these categories and includes provides like Hostgater, 1and1, and Godaddy. When you get to enterprise level hosting, you should expect higher levels of security monitoring, incident response, data protection, and backup service. The really good ones also provide configuration management tools and cache. Providers in this category includes Pantheon, Contegix, AWS, and Acquia.
- Website security. There are also website security platforms that provide platform as a service (paas) and cache. Providers such as Sucuri, Reblaze, Symantec, Comodo, and Cloudflare have plans that clean hacked sites infected with malware and protects from attacks such as DDoS, brute force, and exploited vulnerabilities. Services include detection (continuous monitoring, incident alerts, remote scanning, server side scanner), protection (website firewall, block hackers, DDos mitigration, virtual patching and hardening, and zero-day exploit prevention), and response (complete hack cleanup, dedicated security analysis, blacklist removal requests, quarantined backups, and full cleanup report). For $25-$400/month, you can subscribe to their firewall and intrusion prevention system.
- Scheduled security patches and updates. The difference between this and the other options is that the other folks only deal with the server. They don’t deal with the CMS application, per se. If you are running Drupal, WordPress, or Joomla, for example, the hosting company and security platform may not touch the CMS application (Pantheon and Acquia would be the exceptions). So, if you really want to be proactive, you need somebody to perform scheduled maintenance on a monthly basis to install the latest security patches and updates. In addition, you need somebody to subscribe to the security forums and if an emergency patch is produced for a newly discovered vulnerability, you want that to happen within 24 hours of the patching being made available. This focuses exclusively on the CMS core, modules, and plugins portion of the code, while managed hosting and website security platforms focus on the server, firewall, backups, etc. The key to security is eternal vigilance.
Drupal-specific security. Best security practices for Drupal include:
- Keep Drupal updated
- Use HTTPS for everything across every page of the entire site
- Audit configuration for security problems
- Audit code for security problems and code vulnerabilities
- Identify vulnerabilities and perform remediation in Drupal configuration and modules
- Identify vulnerabilities and perform remediation in components including Apache, PHP, MySQL
- Audit user permissions to ensure appropriate access and privileges throughout site
- Review Drupal log files for code errors, debug messages, and failed user account actions
- Provide analysis of website activity and infrastructure performance
- Watch text filtering and input formats
- Two-factor authentication
- Harden Drupal site with additional security modules (below)
There are several Drupal modules that also help with security, including:
If you need a hand security your website, planning for disaster, or are in the middle of a crisis; please give us a call.