When coming up with a security plan for your Drupal website, or any website for that matter, you need to take several key factors into account. These key factors include your server host, server configuration, and authorized users. Typically, the weakest link in that chain is how your authorized users access the server, so first we want to secure access to allow your admins and developers in, but keep hackers out.
Choosing your hosting provider is one of the most important decisions to make when it comes to site security. Your server is your first line of defense. Not all hosts have the options that you need to implement best practices for securing the server itself, let alone websites or other services that will be running on it too.
At Zivtech, we use VPS servers for some hosting solutions for our clients, but we also use specialized hosting solutions such as Pantheon and Acquia when it makes sense. Taking the time to figure out which services your site(s) needs prior to moving to a host will save time later; you won’t need to move to another when you realize they don’t provide the services you really need. It’s the concept of “measure twice and cut once.”
Many shared hosting solutions are set up with cPanel, which typically gives users FTP access to their web server environment by default. FTP is not encrypted like communications over SSH, so configuring sFTP is recommended if that’s all your host allows.
The most secure way to connect to your server is through SSH, which is encrypted from end to end. Most VPS hosting companies give users access to their server through SSH by default, unless you install cPanel or other tools later. When using SSH, it’s much more secure to connect using an SSH key to authenticate with the server instead of a password. Typically, VPS hosts give you access to the root user to start with, so we need to stop authentication with that user as soon as possible.
Forcing SSH key authentication and configuring an authorized_keys file for each authorized user on the server is the best way to keep your server locked down from unauthorized access by malicious users.
Get started by generating an SSH keypair on your local machine. I’m a security geek, so I use 4096-bit keys at this point for added security, but you can also use 2048-bit keys and still be secure at this point.
Below is an example of how you can generate an SSH key if you don’t have one already. The output files will be written to ~/.ssh. Without changing their name, they’ll be ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub. Let’s go ahead and generate our key for our root user now.
ssh-keygen -t rsa -b 4096
After generating your SSH keypair, you’ll want to copy the contents of the ~/.ssh/id_rsa.pub file, as that’s the SSH public key we will be adding to that authorized user’s authorized_keys file. It’s okay to pass this key around in emails, chat programs, and other unencrypted methods of communication; it’s the public key, which can and should be seen by others. The ~/.ssh/id_rsa file, on the other hand, is the private key, which should never be shared through unencrypted methods, and typically should not be seen by anyone but the person who owns it.
File permissions are a huge hole for hackers to gain access if they’re not configured properly. Hosting platforms like Acquia and Pantheon typically handle all these permissions, so there isn’t much to worry about in those environments.
Those running on their on VPS will want to ensure they have the permission for their Drupal codebase, Public Files, and Private Files directories locked down. I’m not going to get into the specifics of file permissions in this post, but there are some great resources on Drupal.org on how to lock down your site’s files.
- Securing file permissions and ownership
- Drupal 7: Setting up the files Directory
- Drupal 8: Security of generated PHP files
There are also some great modules out there to help facilitate secure files on your Drupal site. The File permissions module uses Drush to handle setting your site’s permissions, which could be helpful for those not comfortable with command line. The Security Review module allows you to take a look at various security related settings on your site including file permissions, so that is something I highly recommend running every so often on your sites to make sure everything is still locked down.