Free resources online for protecting your Drupal site

There are lots of great resources online about how to secure your Drupal site. The site is meant to be one of those resources, but there are also others available elsewhere. Here are some of the best resources available from around the internet with Drupal specific security information. Handbooks

The handbooks are probably the most natural place to look and in fact they have three great areas of resources.

  • Writing secure code provides advice about secure code. It can be a bit hard to understand the flow and examples, but this is still a great resource.
  • Secure configuration looks at the non-code aspects of configuring your site.
  • Security team provides insight into the policies and procedures of the Drupal Security Team. It's the policies which are most important to a typical user.

University of Pennsylvania School of Arts and Sciences Pages

The University of Pennsylvania is using Drupal for a lot of different sites. They have been actively reviewing and finding problems in Drupal's contributed modules for over a year now. They are also providing documentation (on their site) about how to secure Drupal.

Some examples:

Nadeau Software Consulting

The Nadeau Software Consulting company provides an extensive online resource in 3 parts. Their advice comes from a strong system administrator perspective about how to secure Drupal within the Context of Linux/Apache.


Aside from this blog there are a few other resources on this site:

Other blog sites

Safe string theory for the web by Steven Wittens is a great resource. One final mention is Heine Deelstra's Blog which covers a lot of things but also frequently covers security.

Edited to include more resources from this site and Steven Wittens site.


I'd also add Steven Witten's

I'd also add Steven Witten's treatise Safe String Theory for the Web as a straightforward and thorough explanation of how to handle strings in various contexts.

The treatise of Witten's is

The treatise of Witten's is very helpful for understanding how to handle strings. This blog is also helpful in making Drupal more secure. The XSS cookie issue and Administrator Blocks permissions are only two helpful tips I've come across on here thus far. Kudos guys!