How To Keep Your Drupal Site Secure
As of 2014 there are close to a billion websites on the internet. It's believed that about 1% of all websites are infected or hacked. If that's true that would mean there are around 10 million websites that are hacked or infected.
If you're using Drupal it's a pretty amazing piece of software. However, it is really only secure if someone in your company or on your development team is performing routine maintenance. Routine maintenance includes things like:
- Upgrading the Software
- Plugging Security Vulnerabilities
- Running Offsite Backups
If you don't have someone like this on retainer - you should seriously consider at least once a year hiring someone to perform this maintenance tasks. Otherwise it's quite likely that you could be one of the unlucky 10 million websites that are randomly targeted and unpleasantly surprised one day when your site is not loading or worse redirects users to some Russian or Chinese pharmaceutical website.
Even if you take proactive steps to keep your site secure (when it comes to security) you never really eliminate the risk of becoming compromised - you can only hope to reduce the likelihood you will be a victim and have a good plan in place for minimizing the damage.
What Sites Get Hacked
Any site can get hacked - fortune 500's to small local mom and pop businesses. It often comes down to the same reason. As a general rule security is only something we institute after we experience a loss due to a lack of proactive security.
In real life people leave doors unlocked all the time both at home and at the work place. People tend to have a similar attitude toward security online. They use weak passwords and allow too many people access to areas and software that should be a more thoughtfully scrutinized.
How Can A Site Get Hacked
Websites can get hacked through any of the following:
- Software vulnerabilities
- Any of the points of access
- 3rd party software integrations
- Social engineering
Software vulnerabilities
If you're using Drupal the only way to minimize your software vulnerabilities are to make proactive software upgrades when there are new version releases and to patch known security vulnerabilities with 24 hours.
Otherwise, your software could be exploited by anyone interested.
Points of Access
There are various points of access to your digital assets. Here are a few you should consider and make sure they are secure with limited users:
- Hosting panel
- Server (FTP, SFTP, SSH)
- Drupal CMS
- Personal computer
- Social media accounts
3rd Party Software
As more and more organizations demand seamless communication between their difference software systems and partners - 3rd party integrations and services have become commonplace. They are specially popular in the highly extensible Content Management Systems (CMS) Drupal (Wordpress, Joomla and other popular CMS's as well).
Since we don't control the 3rd party software there is a chance it could become compromised.
Social Engineering
There are a few different forms, but essentially social engineering is a term used for malicious activities that are achieved through real life human interactions. It's based on psychological machinations to trick users into giving away sensitive information.
In translation it could be someone talking to you or your staff while working remotely in a Starbucks all the while unaware that this seemingly harmless individual is stealing sensitive information.
How to Tell If My Site Has Been Hacked
There are a few ways:
- downforeveryoneorjustme - is a great resource to confirm if your site is actually down or if it is just your internet. It won't tell you if the site has been hacked just if the site is down.
- Google's Safe Browsing Status - This resource can check to see if your site has been compromised.
- Google's Search Console - This can give you real time reports and notifications if Google sees any malicious activity on your website.
How to Fix A Hacked Website
This is where backups become an invaluable asset.
Google and other online resources provide a lot of great tips for how to clean up a hacked site, but the quickest way to restore your website is to restore it from a recent backup.
Establish a process with your IT team, your web development team, your hosting company or whoever is involved with the management of your website and make sure that someone is performing regular offsite backups. If you want to test one of the backups that might not be a bad idea either.
As long as someone has been making regular backups - restoring the website should be as easy as a few clicks.
How to Reduce the Likelihood of a Hack in the Future
- Update your CMS: Male sure your CMS is on the most up to date version of the software.
- Limit Access: Limit administrative access. The fewer hands in the cookie jar means fewer points of failure.
- Offsite Backups: Make and store regular offsite backups. Or host your website with a company that does this by default. Maybe even try to restore your website from one of their backups so you know the backups are good.
- Real Time Monitoring: Register your site with Google Search Console. This may not keep your site from getting hacked, but you'll be notified as soon as something malicious might be happening and hopefully you can resolve it quickly. (If you don't have a Google account you'll need to create one).
If you employ these practices your site can still get hacked, but as long as you make sure your site is getting regular backups a hack won't be the end of the world because you'll have taken some proactive precautions and you'll be able to restore your website without missing a beat.
Has your site been hacked and you don't have a plan?