Drupal 6 hardening guide

The goal of this page is to build a Drupal 6 hardening guide.

Even though the Drupal community is already quite aware of security, I believe that there are still some steps that everybody could take to make their Drupal site more secure.

1. Remove default unneeded files

Drupal comes with a lot of default files which are no longer needed after a successful installation of Drupal. The location of these files are well known since you can easily look it up in the Drupal CVS repository.
The issue with these files is that they usually contain version numbers which can be used by potential intruders to find out the version of Drupal you are running. The nicest example of all is the CHANGELOG.txt file. Simply requesting this file from a Drupal site will tell directly which version is being used.
If you're not up-to-date with the latest security updates, potential intruders can simply find out which vulnerabilities are applicable to your Drupal site.
Therefore, in order to make the Drupal fingerprinting a bit harder, you should remove the following default files after you successfully installed Drupal:

  • INSTALL.mysql.txt
  • INSTALL.pgsql.txt
  • INSTALL.sqlite.txt
  • INSTALL.txt
  • LICENSE.txt
  • UPGRADE.txt
  • install.php

2. Disable unneeded modules

Disable a much modules as you can. If you don't need certain optional core modules (e.g. "Comment", "Color", etc.), then disable them. First of all, it will save processing time when rendering pages since Drupal needs to perform less checks.
Second, if security vulnerabilities are found in one of these modules, then you're not at risk. This doesn't mean that you don't have to upgrade to the newest release, but at least it gives you some more time to upgrade.



You might also be interested in...