Securing Drupal Files and Folders (Chmod, Security Review, Hacked)

| Drupal Development | 7 seen

There are a couple of great helper modules for Drupal to learn more about failing security holes - Security Review and Hacked. 

Security Review

The Security Review module automates testing for many of the easy-to-make mistakes that render your site insecure.

Security Review runs the following checks:

  • Safe file system permissions (protecting against arbitrary code execution)
  • Text formats don't allow dangerous tags (protecting against XSS)
  • PHP or Javascript in content (nodes and comments and fields in Drupal 7)
  • Safe error reporting (avoiding information disclosure)
  • Secure private files
  • Only safe upload extensions
  • A large number of database errors (could be a sign of SQLi attempts)
  • A large amount of failed logins (could be a sign of brute-force attempts)
  • Responsible Drupal admin permissions (protecting against access misconfiguration)
  • Username as password (protecting against brute-force)
  • Password included in user emails (avoiding information disclosure)
  • PHP execution (protecting against arbitrary code execution)
  • Base URL set / D8 Trusted hosts (protecting against some phishing attempts)
  • Views access controlled (protecting against information disclosure)

This module does not automatically make changes to your site. You should use the results of the checklist and its resources to manually secure your site. The results of some checks may be incorrect depending on unique factors of your site.

Here are the results showing issues with a Drupal 7 installation

Security Review

Security Review


This module scans the currently installed Drupal, contributed modules and themes, re-downloads them, and determines if they have been changed. Changes are marked clearly and if the diff module is installed then Hacked! will allow you to see the exact lines that have changed.

This module does not and will not prevent your site from being 'hacked'.

Chmod permissions for files and folders

The Drupal security guide has a section on securing your site with a useful list of items to work through.

There are several approaches to set file permissions for a Drupal website, most common include chmod 755 for sites/default/folder and chmod 644 for public files

If you are using Security Review module,you should investigate step by step, but here is an example for securing your drupal website public_html folder

sudo chmod -R 555 public_html

Let me know!