The need for organizations to understand security has never been higher, but unfortunately decades of bad assumptions have lead to many sites being very vulnerable to attack.
OpenConcept developed this best practices guide to provide a starting point to look at when thinking about the security of your website. Much of the information required to secure Drupal is common across most web servers, so even if you are not currently using the Drupal CMS, this document may be useful. There is of course a technical element, but many of the principals are things which need to be understood clearly by everyone.
This document now available through a Attribution-ShareAlike Creative Commons License and it is my hope that it become a living document. There will inevitably be changes and modifications which will need to be made, so please contribute back suggestions.
Security need to be regularly re-evaluated. This document does not include coding best practices, but there are many references included in this document for those looking to learn more.
This guide has lots of practical tips for experienced web developers and systems administrators, but also contains information for managers. We've tried to include useful examples of how to implement these best practices. There are lots of links to other resources for people who want to learn more.
In the latest release we've expanded information about Drupal 8, included information about crackers, and highlighted security regulations that you may need to comply with. We've expanded the Drupal section to explain in more detail how to evaluate Drupal modules and themes for security.
You don't need to be a security expert to get value from this document as everyone benefits from having a better understanding of web security.