🔒

Drupal Security Checklist

Verify current Drupal version

Check for available updates for Drupal core

Update Drupal core if necessary

Check for available updates for all installed modules and themes

Update modules and themes if necessary

Review user roles and permissions

Approval: User Credentials

Ensure file system permissions are correctly configured

Validate database and input sanitization to prevent SQL Injection

Ensure all forms have security tokens to prevent CSRF attacks

Verify all input validation to prevent XSS attacks

Check that all error and warning messages do not disclose sensitive information

Backup the site

Test site functionality after updates

Approval: Functionality Test

Scan the site for malware

Approval: Malware Scan

Ensure HTTPS is enabled and properly configured

Check that all third-party integrations are secure

Run a security audit using a trusted security tool

Approval: Security Audit

Verify current Drupal version

Check the current version of Drupal installed on the website. This is important to ensure that the website is running on the latest version, which includes security patches and bug fixes. Knowing the current version will also help determine if an update is necessary.

Check for available updates for Drupal core

Check if there are any updates available for the Drupal core. Drupal regularly releases updates to address security vulnerabilities and improve functionality. Keeping the core up to date is essential to maintain a secure website.

Update Drupal core if necessary

If there are updates available for the Drupal core, proceed with updating it. This will ensure that the website is running on the latest version, which includes security patches and bug fixes.

Check for available updates for all installed modules and themes

Check if there are any updates available for the installed modules and themes. Modules and themes may have security vulnerabilities or outdated features that need to be addressed through updates.

Update modules and themes if necessary

If there are updates available for the installed modules and themes, proceed with updating them. This will ensure that the website is running on the latest versions, which include security patches, bug fixes, and new features.

Review user roles and permissions

Review the existing user roles and permissions set up on the website. User roles define the level of access and permissions for different types of users. It is important to ensure that user roles and permissions are correctly configured to prevent unauthorized access and data breaches.

Approval: User Credentials

Review user roles and permissions
Will be submitted

Ensure file system permissions are correctly configured

Check if the file system permissions are correctly configured. Proper file system permissions help prevent unauthorized access and ensure the security of files and directories. Reviewing and adjusting file system permissions is an essential step in securing the Drupal installation.

Validate database and input sanitization to prevent SQL Injection

Validate the database and input sanitization to prevent SQL Injection attacks. SQL Injection is a common web application vulnerability that allows attackers to manipulate the database queries by inserting malicious code. Validating the database and implementing input sanitization measures will help protect against such attacks.

Ensure all forms have security tokens to prevent CSRF attacks

Ensure that all forms on the website have security tokens in place to prevent Cross-Site Request Forgery (CSRF) attacks. CSRF attacks occur when an attacker tricks a user into performing an unwanted action on a website, using the user's authenticated session. Adding security tokens to forms helps protect against CSRF attacks.

Verify all input validation to prevent XSS attacks

Verify that all input validation measures are in place to prevent Cross-Site Scripting (XSS) attacks. XSS attacks occur when an attacker injects malicious scripts into web pages viewed by other users. Implementing proper input validation will help prevent XSS attacks.

Check that all error and warning messages do not disclose sensitive information

Review all error and warning messages displayed on the website to ensure that they do not disclose sensitive information. Error messages that reveal sensitive data can be exploited by attackers. It is important to review and modify error messages to prevent information leakage.

Backup the site

Perform a backup of the entire website before making any updates. This ensures that in case of any issues during the update process, a restore point is available to revert back to. Regular backups are essential for disaster recovery and maintaining the integrity of the website.

Test site functionality after updates

After updating Drupal core, modules, and themes, test the functionality of the website to ensure that everything is working as expected. Testing is crucial to identify any issues or conflicts that may have arisen from the updates and to address them promptly.

Approval: Functionality Test

Test site functionality after updates
Will be submitted

Scan the site for malware

Perform a malware scan on the website to detect any malicious code or files that may have been injected. Malware can compromise website security and user data. Regular scans help identify and remove any malware to maintain the integrity of the website.

Approval: Malware Scan

Scan the site for malware
Will be submitted

Ensure HTTPS is enabled and properly configured

Check if HTTPS is enabled and properly configured on the website. HTTPS encrypts data transmitted between the website and the user's browser, ensuring secure communication. Configuring HTTPS is essential to protect sensitive information and improve overall site security.

Check that all third-party integrations are secure

Review all third-party integrations, such as plugins or APIs, to ensure they are secure. Third-party integrations can introduce security vulnerabilities if not properly implemented or regularly updated. Double-checking their security is crucial for overall website security.

Run a security audit using a trusted security tool

Perform a comprehensive security audit using a trusted security tool to assess the website's overall security posture. A security audit identifies vulnerabilities and recommends remediation actions. Regular security audits are essential for maintaining a robust and secure Drupal website.