Originally posted to LinkedIn August 20, 2018
If you manage your company's website you are probably reliant on your Digital Agency, or offshore or internal Development Team to secure your Drupal site. If reading that sentence made you shudder a little (hint: it should), then take a moment to read this list and bring it to your team.
- Be sure your Drupal core is up to date. Engine Room recommends pulling the latest stable core update into your code base regularly, to avoid the big bang of pulling in tons of updates at once. For Drupal 8, you should be on 8.6.3. For 7, 7.61 is the latest release.
- Lock down your Admin area so it is not publicly accessible. There are several modules, such as Restrict IP, that can help you achieve this. That said, doing this at the network layer is the safest bet: reach out to your internal network team or hosting provider to see if they can help.
- Be sure your modules are up to date. Remember, keeping the Drupal core up to date doesn't mean any of that 'kitchen sink' of modules your team has installed over the years are up to date with the latest code.
Part B to this: you should also disable any modules you are not using.
- Install Drupal security modules like Security Kit and Security Review. Security Review tests your site to make sure you don't have any major holes or vulnerabilities typically overlooked when dev teams are in a mad dash to a launch date and aren't exactly thinking like security auditors. Security Kit helps to protect against basic exploits like cross site scripting.
- Maintain a strong password policy. You can use a module like Password Policy to handle this for you.
As with any major website changes, be sure to include all of these updates as part of a Change Management process that includes regression testing...in short, make these updates on a staging environment and make sure they don't break anything!