Keep it out - How to keep Drupal Secure

w: digidrop.io | t: @digidropio
D
D
Keep it out
How to keep Drupal secure

D
D
About me
• Technical Director at Digidrop
• Drupal Developer with over 9 years experience in
Drupal
• Organisor of DrupalCamp London
• Author of Drupal 8 Blueprints

D
D

D
D
Firstly…
Security Updates

D
D
Security Updates
Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004
Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

D
D
SA-CORE-2018-004
A remote code execution vulnerability exists within multiple subsystems
of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple
attack vectors on a Drupal site, which could result in the site being
compromised. This vulnerability is related to Drupal core - Highly critical
- Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002
and this vulnerability are being exploited in the wild.
25th April 2018

D
D
SA-CORE-2018-002
A remote code execution vulnerability exists within multiple subsystems
of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple
attack vectors on a Drupal site, which could result in the site being
completely compromised.
28th March 2018

D
D
Security Updates
How to ﬁnd out
• Follow @drupalsecurity on twitter
• Check https://drupal.org/security
• Subscribe to Drupal Security Team newsletter
• Check you site status inside Drupal
• Hear about it from other Drupal developers

D
D
Simple Steps
(Keeping you sleep at night)

D
D
DON’T HACK
CORE / CONTRIB

D
D
Don’t hack core
• When updating core (as per SA-CORE-2018-002) it
can break your site, especially if you have modiﬁed it
in anyway
• Your site will be more vulnerable and updated issues
may not be applied
• PHP performance may be jeopardised
• It’s just wrong

D
D
Only use contrib
modules off drupal.org
• Your own custom modules are fine ;) as it’s your code, so be
proud
• Modules off sites like code canyon etc are not actively maintained
and by using these you are likely to encounter vulnerabilites
• Contrib modules are used by the community, if theres a
vulnerability someone will spot it and patch it
• They don’t work with composer (9 times out of 10)
• Don’t work with drush make

D
D
Secure your users
• Look at using 2FA - https://drupal.org/project/tfa
• Use Password Policy, force users to change their password regularly -
https://drupal.org/project/password_policy
• Use Paranoia - It reduces the potential impact of an attacker gaining
elevated permission on a Drupal site.
• Look at User Roles and Permissions, having too many can get
confusing. KISS (Keep it simple stupid)
• Only give speciﬁc permissions to certain roles
• Test as diﬀerent user roles, but go into depth or write some tests

D
D
Secure your admin
• Change username from admin, superadmin, root - make it harder to
guess
• Use drush uli when you want to login as uid1
• Make your password complicated and use Password Policy as well
• Use Username Enumeration, so when a user does forget password it
says the Password reset message regardless - https://drupal.org/
project/username_enumeration
• Never give your client super admin user if you are actively responsible
for it

D
D
Simple Procedures
• Don’t user FTP
• If you have to use SFTP but using a CI deployment is preferred and
gives you a better workﬂow
• Try and use full releases and not dev, if you have to use dev then test
and use with caution

D
D
Secure your
environment
• Keep your server updated, operating system (Ubuntu, CentOS etc..)
• Keep Apache or NGINX updated
• React quickly to any security releases
• Restrict access to your server, use a VPN or key to access the server
• Don’t use shared hosting, resource is shared and you cannot update
your environment

D
D
Alternatives
• Use a SaSS that exists already
• You don’t need to update PHP, Nginx or anything to do with the
environment

D
D
Your code (process)
• Check your code with another developer in your team
(pull requests)
• Create test scripts for your code
• Test your code
• Have a cup of tea
• Move onto your next task

D
D
Store your keys
elsewhere

D
D
Sanitise Your Code
• Use code sniﬀer (https://drupal.org/project/coder)

D
D
Clean your code
Play video
• https://youtu.be/qNj_sI6qndw

D
D
Sanitise Your Code
• check_plain(), Html::escape, Xss::filter,
UrlHelper::stripDangerousProtocols,
SafeMarkup::format deprecated in 9.x -
DrupalComponentRenderFormattableMarkup
• Do not use /e in preg_replace() - use
preg_replace_callback() instead

D
D
Twig FTW
• With Twig there is no PHP in the .html.twig ﬁles!
• We can keep our code clean this way
• Don’t use Drupal::database() etc inside
themename.theme
• Previously we could use db_query() inside our template ﬁles -
not in Drupal 8!

D
D
Hacked Modules!?
• Use the hacked module to determine which modules in contrib have
been changed

D
D
Hacked Site!?
• However if your site has been hacked take it down immediately and lock
out anyone
• Check when the site was last hacked (IP addresses)
• Add ReCaptcha or similar to forms
• Ensure you have a regular backup - hourly and oﬀsite S3 etc

D
D
Wrapping up
• Don’t hack core or contrib
• Regularly update when updates are released
• Subscribe to Drupal Security updates
• Don’t use PHP in Drupal UI
• Sanitise your data input
• Don’t use FTP
• Regularly backup your codebase and database
• Contribute to Drupal!

D
D
Finally
You can buy my book!

D
D
Questions?

Keep it out - How to keep Drupal Secure

More Related Content

Similar to Keep it out - How to keep Drupal Secure (20)

Recently uploaded (20)

Keep it out - How to keep Drupal Secure