Drupal Security Best Practices - A Guide for Governments and Nonprofits

Shield with a lockThe need for government security has never been higher, but unfortunately decades of bad assumptions have lead to many government websites being very vulnerable to attack.

OpenConcept developed this best practices guide to provide important issues to consider when securing your Drupal website. Much of the information required to secure Drupal is common across most web servers, so even if you are not currently using the Drupal CMS, this document may be useful. There is of course a technical element, but many of the principals are things which need to be understood clearly by everyone.

This document now available through a Attribution-ShareAlike Creative Commons License and it is my hope that it become a living document. There will inevitably be changes and modifications which will need to be made, so please contribute back suggestions.

Security best practices need to be regularly re-evaluated. This document does not include coding best practices, but there are many references included in this document for those looking to learn more.

Mike Gifford is the primary author, with contributions of others at OpenConcept (especially Mike Mallett and Matt Parker) as well as important contributions from the open source community: Michael Richardson, Colan Schwartz, Mack Hardy, Peter Cruickshank, David Norman, Lee Rowlands, David Timothy Strauss, and Ben Hosmer, Ursula Pieper, Jonathan Marcil. This document is evolving but was edited by Lee Hunter.

Please fill in the following form and let us know if you would like to receive updates, contribute changes or simply download the security document.

Image via the Noun Project and Steffen Nørgaard Andersen under a Creative Commons License.