New website - vulnerable?
Hello all!
I came to the March meeting for the first time knowing I was going to be playing with Drupal in more depth, but didn't realize that less than a week later I'd be starting a new website, http://www.driveslowly.org .
In announcing it to my network, someone I trust with significant hosting experience sent me the following note:
good luck with it!! be careful with that DruPal install you are running the site on. Hope the host has al the security measures in place. DruPal has a tendency to be a worm and hacker target. It's a great CMS ... but it can take a beating from the hackers. Just a heads up. Good luck with it!!
I'm using A2 hosting, and am new to them, so perhaps you can give me some advice on how much I need to worry about this. I'm using the latest stable 5.x version as of last week, but I have comments open on some articles, and am using the Drupal forum, so perhaps I'm exposing myself more than I have on my older Drupal website? My previous website doesn't allow users to register, has no commenting or forum, and I've even removed the drupal meta info from the pages to avoid simple hacking bots. Should I consider some or all of these measures for this site?
Any tips would be appreciated!
Also, if you have time and can critique the website both from a technical standpoint as well as content, I'd appreciate it. If you have contacts that might like learning about it (especially from a Local Interest standpoint), please direct them to http://driveslowly.org/22/press-release or send me information about them so we can make contact. Tagline - DriveSlowly - save Money, Gas, Lives, the Planet.
Thanks again for your time!
-Adam Davis
adavis@ubasics.com
734-484-4444
Ical feed
Adam, Actually Drupal is
Adam,
Actually Drupal is pretty secure for the most part compared to a lot of other CMS's out there. They have a pretty good security team as well as post vulnerabilities and updates as soon as they are found (http://drupal.org/security). You could also subscribe to that RSS feed, or use something like RSSfwd (http://www.rssfwd.com/). Something I recommend for checking just for updates too is update status module (http://drupal.org/project/update_status), you can also install the drush module (http://drupal.org/project/drush) which I think makes updating modules a breeze. As for form input or user registration I would recommend using the captcha module (http://drupal.org/project/captcha), or checking out the new service that Dries (founder of Drupal) just launched (http://mollom.com), for combating spam. As for your other site that doesn't really have input forms, I don't think you have much to worry about. I don't believe drupal allows PHP variables to be passed via the URL. Your site design looks nice too, very clean design.
-Anthony
Proxous Consulting
http://www.proxous.com
I wouldn't worry about it.
I wouldn't worry about it. Provided you are keeping your system up to date (you are, aren't you?) then there is no real reason to be afraid of "the system." You keep it from being a home to spam bots by preventing anonymous users from posting pages or messages without first passing a captcha and email verification, but this common-sense tactic applies to every system out there, and remember, the whole point of a permission system is to prevent unauthorized use. Past core, I generally recommend reCAPTCHA for being a well implemented captcha system that provides rotating challenges (if one is too un-readable) and audio for ADA alternatives.
All things great come under attack.
I don't perceive any real issues with Drupal security.
But do recognize that Drupal is being deployed by people from a wide range of skill level and with varying frequencies of patching.
Sounds like you are doing your do diligence.
I'm convinced Drupal as a community is doing their do diligence.
But we as the gate keepers need to stay ever vigilant.
The more you learn about Drupal the more comfortable you will become with this issue.
http://www.chapterthreellc.com/tags/most_secure_cms
Regards,
Michael Hofmockel
Drupal Expedition Guide
Switchback
Open Source | Open Access | Open Mind