Drupal Framework

Content Management Framework (CMF) Drupal

Website Website Attacker
၊ Drupal CMF

1. Drupal LAMP (Linux, Apache, MySQL, and PHP/Perl/Python)

Web Server
LAMP version up-to-date ( )
secure version Vulnerability ( )
( ) security release
security update module core
Drupal version
CHANGELOG.txt file

Common Scanning Method Drupal Version

Drupal Installation ( ) Upgrade file

1. install.php
2. CHANGELOG.txt
3. INSTALL.txt
4. INSTALL.mysql.txt
5. INSTALL.pgsql.txt
6. LICENSE.txt
7. MAINTAINERS.txt
8. UPGRADE.txt
2. Secure Communication SSH, sFTP, FTPs HTTPS
Open Source Program
Hack Strong Password
၊ Content Backup
Admin User Strong Password
Password Policy Module Webteam
Harder Password

3. Attacker User Account Brute Force Attack

Unsuccessful Login Attempt
Login IP
Address Permanently ( ) Temporarily Block Login Security
Module Administrator Site

4. Automated Logout Module

Auto L
5. Default Drupal New User Account Create Password
E Plain-Text Password
User Setting Email Template Password Disable

Administer > Configuration > People > Account settings) in Drupal 7

(Administer > Settings > User) in previous versions

6. Website Upload
Website Malicious Script Run File
Type Structure  Content
Types  Manage Fields  Edit File Type
HTML Script File Extension

7. Security Review Module

run Module Common Vulnerability Check
 8. Website

Backup and Migrate Module

References:

http://www.redbridgenet.com/files-to-remove-after-drupal-installation/

http://www.madirish.net/414

http://www.cameronandwilding.com/blog/neil-cameron/five-quick-wins-secure-your-
drupal-site

http://blog.monitor.us/2012/08/7-modules-that-can-improve-your-drupals-security/

http://www.stopthehacker.com/2013/06/25/10-simple-steps-to-protect-your-drupal-site/