What Drupal users must learn from the Panama Papers case?

Security in Drupal

The Panama Papers. It is the largest data leak—of 11.5 million files—that journalists have ever worked with. It has not only threatened the political powers in many parts of the world, but also raised pertinent questions about internet vulnerabilities. If the database of a mighty offshore law firm can be hacked, surely most enterprises have reason to worry.

Although we don’t know for sure how the hackers gained access to the Panama Papers, what’s known is that the law firm’s website was built on Drupal. That’s hardly surprising given that most leading corporations, and even governments across the globe prefer Drupal as the content management system (CMS) to build critical applications and websites.

As one of the biggest developer communities, Drupal’s tough security framework has the power to protect any website from a cyber attack. Yet, hackers sometimes get an upper hand, because of sheer laxity on the part of users. In the case of Panama Papers, for instance, the law firm had failed to update Drupal since 2013.

There’s only so much that even the best of coding standards, dedicated security team and efficient service provider systems can do. Enterprises also need to do their bit to prevent security lapses and internet-bound attacks. Here’s looking at five effective ways to ensure to that the hackers keep away from your Drupal-powered website:

  1. Keep up to date

The best way to ensure sound security of your website is timely upgrade of Drupal to the newest version. It is best not to delay the process as outdated scripts give hackers easy access to your online portal.

Whether it’s upgrading between minor versions or major releases, the security benefits are worth the time and effort needed. However, before you upgrade, always remember to backup your database and put your site into Off-Line mode. Once the upgrade is complete, you can take your site out of Off-line Mode.

  1. Of permits & limits

Often, security breaches boil down to loopholes in administrative control. Set permissions on who can create accounts. Different security privileges can be set for anonymous and authenticated users. You can easily limit access for users, who you may have reservations about. In certain cases, it may be feasible to use FTP to log in securely.

Sometimes, simple steps, like creating a unique ID for administrative control instead of using the default username “admin” when you install a new system, can prevent vulnerabilities. Similarly, refrain from sharing passwords – to be changed on a regular basis – in user emails, as it could compromise on Drupal security.

When it comes to extensions, it’s prudent to limit them, in case you accept uploads on your site. Remove HTML and script files from the permitted file extensions – or consider limited anchor usage to benign tags such as italic or bold text – to ensure that you don’t leave room for malicious scripts to have a field day.

  1. Look before you install

To ensure better management and aesthetic appeal, plugins, modules and programmed themes are often used on websites. However, these add-ons can include malicious coding that can aid a hacker’s way into the system.

That’s not to say that these additions need to be avoided, but that you need to do thorough research before installing any third party add-ons and extensions on your Drupal website. For instance, it’s prudent to ensure that the to-be-installed module is updated so as to maintain the security of your website.

  1. The backup plan

While it’s good to hope for the best, it’s wise to be prepared for the worst. So, get into the habit of making frequent backups that you can upload in case someone manages to hack into your site. 

Every once in a while, install and run the Security Review module to perform a check for common vulnerabilities, allowing you to plug in loopholes, if any, in time. When it comes to malware scanning, always use a reputed service for these regular scans to help deal with tricky situations, if and when the need should arise.

You could also audit your Drupal Security. Certain independent tools can help check the security protocols of your website, giving you vital information on preventing attacks.

Related: 10 ecommerce solutions for your Drupal website

  1. Learn from mistakes

In the cat-and-mouse game between modern security systems and shrewd hacking techniques, there are valuable lessons to be learned. Every mistake – doesn’t have to be your own – exposes a loophole.  

So, discuss cyber attack cases with colleagues working in IT and web application security departments. Read up on the internet about various types of attacks as well as ways to prevent/mitigate the issue. For instance, many enterprises tend to take the security of their hosting environment for granted, without realizing that they need to add firewall settings into the web server and database server augment Drupal security.

The last word

Hackers work in insidious ways. Whether it’s a source of sensitive data, or just a clean IP that can be used to send spam, they are constantly looking to get a toehold into new systems. And even though Drupal has robust security systems in place, enterprises need to be vigilant and proactive to thwart cyber attacks. Because, as they say, better safe than sorry.   

Related whitepaper

Why Migrate to Drupal 8?


Related Reads

How Drupal 8 benefits your business

10 ecommerce solutions for your Drupal website

A Step-By-Step-Guide to Create Custom Modules in Drupal 8

Author : Jisha Krishnan Date : 02 Aug 2017