...
- Avoid allowing users to upload arbitrary files, in type, size, and volume. Limit file uploads to text, common work-related formats, and images.
- Ensure access restrictions are in place to prevent users from viewing or editing arbitrary files.
- HTTPS is required for login; use it whenever possible elsewhere.
- Note that all content created or owned by a user reverts to "anonymous" ownership upon user deletion - meaning anyone can read (and perhaps edit) that content. Block users instead of deleting them, when possible.
- Disable remote login of the root user (user #1), or disable it entirely once administrator access is granted elsewhere.
- Drupal frequently reports major security vulnerabilities. Keep your Drupal installation fully patched and a known-safe backup available at all times.
- Never enable Full HTML comments.
- Disable anonymous account creation and content posting.
- Restrict error reporting. Do not show users notice, warning, or errors directly; instead redirect to a generic Error page (which preferably emails an administrator upon load).
- Consider what data in the site is private, sensitive, protected or regulated. Avoid collecting it, anonymize it, or encrypt it as necessary.
- Drupal secure code and configuration review is available upon request. AppScan automated scans may also help identify potential security concerns. Please consult Information Security for a manual or automated review, preferably during development and test, well ahead of go-live.
Additional guidance and detail
...
:
- http://drupal.org/security - recently reported Drupal vulnerabilities.
- http://drupalsecurityreport.org/ - white paper on Drupal security.