Follow us on Twitter!
Syndicate content
Login - Register - Latests submissions
Home

security

Stop logins being remembered
Drupal 5.xDrupal 6.x
permalink
Going live Going live
cookies, login, security

By default Drupal will keep people logged in for 23 days (2000000 seconds) by saving a cookie in their browser. This is nice, but a potential security problem if people are using the site from shared computers.

Consider editing the site's settings.php to have

ini_set('session.cookie_lifetime',  0);

instead of the default

ini_set('session.cookie_lifetime', 2000000);

With the former, the user's login will be forgotten when they close their browser window, even if they forget to log out explicitly.

Fonant

Remove TXT files
Drupal 5.xDrupal 6.xDrupal 7.x
permalink
Going live Going live
security

Drupal comes with a set of TXT files at root level (things like install instructions, upgrade instructions, etc.). To avoid malicious users to have information on the Drupal version you are using, it is strongly recommended to remove those files.

From the root directory of your installation, remove the following files:

  • CHANGELOG.txt
  • COPYRIGHT.txt
  • INSTALL.mysql.txt
  • INSTALL.pgsql.txt
  • INSTALL.txt
  • LICENSE.txt
  • MAINTAINERS.txt
  • UPGRADE.txt

Whether or not these files contains security information (like Drupal version for example), the all contain a CVS header that gives a really precise version information on your Drupal installation.

Drupal security team
jchatard

Protect user 1
Drupal 5.xDrupal 6.x
permalink
Going live Going live
security, users

It's highly recommended that you protect user with uid 1, i.e. the one who has life and death rights on your Drupal installation.

Disallow user 1 deletion:

Disable user 1:

  • Be sure to have at least one user (other than uid 1) that has the permission administer users from user module.
  • Login with this account (again other than uid 1)
  • Go to Administer > User management > Users
  • Edit user with uid == 1
  • Set Status to Blocked
  • Click Save

Now user 1 can't login to your website. No more risk for password discovery for this account.

Please note that you should check enabled modules code, sometimes they use user 1 to achieve some tasks. And this could break some modules features. So use with caution.

Protect Critical Users module
jchatard