Website Security for WordPress and Drupal


This article was originally published exclusively for subscribers to our free weekly newsletter.


  1. Introduction
  2. Security for WordPress
  3. Security for Drupal


Issues surrounding the security of websites are not always well understood by their owners. What is a “secure” site and what are the dangers if yours does not come up to scratch?

Here are the two most important precautions you must take:

  1. Take regular backups. Whatever bad might happen to your site, whether it’s a server hardware failure, an attack by hackers or a software bug, your chances of a swift recovery will be greatly increased if you take sensible precautions against data loss. That means taking backups. Exactly what needs to be backed up, and how often, will vary depending on the nature of the site but one rule always holds: keep your data safe and separate.One of the things that distinguishes one hosting service from another is the quality of the backup services available. A question you should ask of any hosting provider is whether it is possible to backup your website automatically to a remote location. They may not offer such a service themselves but they should not make it impossible.
  2. Use strong passwords. Typically there will be a number of passwords associated with your website. You might have one for your hosting account, another for FTP access, a third for administration of your content management system and so on. All these passwords should be strong – meaning they should be hard to guess. Check password strength with this handy online tool from Microsoft.Keep your passwords safe. Don’t write them on post-it notes which you stick to your monitor! Consider using a program like KeePass to manage your passwords more safely.

If your website includes software components such as a blog, guest book, contact form or shopping cart, consider taking professional advice as to the security of your site. Poorly written software may expose your site to attack by hackers. Whether your site is large or small, prominent or obscure, it does not matter: many such attacks are carried out by automatic programs called “bots” which are simply looking for an opportunity to deface web pages or add malicious code to them.

One of the advantages of popular open source programs like Drupal and WordPress is that any weaknesses are generally quickly addressed once found. The downside is that their very popularity makes them a prominent target, which is why the precautions I cover in the following sections are so important.

WordPress Security

A default WordPress installation will leave several security holes open. One area of particular concern is that it exposes information about the software you have installed. This being open makes you more vulnerable because many automated attacks work by first probing to see if some particular code is installed and then – if it is – trying an exploit which takes advantage of a known weakness in it.

Here’s some advice about how to strengthen your WordPress site:

  1. Keep your installation up-to-date. WordPress will tell you when new releases become available for the core software and plugins you have installed. To get new security fixes you should always update WordPress to the latest release, and in order to ensure compatibility you’ll often need to upgrade plugins at the same time. Before making an upgrade take a full backup of all files and the database.The bad news is that sometime a plugin will fail to upgrade successfully, so there’s always the chance you may need to roll back the update by restoring from your backup, before consulting an experienced WordPress technician to find a solution to your upgrade problems.
  2. Install the WP Security Scan plugin. This excellent plugin will identify where the most prominent holes are in your installation’s security and suggest remedies. To take the appropriate corrective actions may require some technical know-how, but can be carried out very quickly by anyone with the right skills.
  3. Install the AskApache Password Protect plugin. This plugin provides a number of measures to protect your installation, although it won’t always work fully in every environment so take a backup before trying each of its many options: handle with care.

Drupal Security

Drupal security is taken very seriously and there’s a team of people dedicated to its continuous improvement. Here’s my top tips for making sure your Drupal installation stays safe:

  1. Use the Update Status module. From Drupal 6 onwards this is a core module, but it still needs to be activated. Update Status will tell you when new releases of Drupal and the modules you have installed become available. Since the fixes in new releases may be security-related, this is a very useful tool indeed.
  2. Subscribe to the Drupal security announcements mailing list. Whenever a new security fix is released for the Drupal core or contributed modules, it is announced here.
  3. Check user settings. Go to Administer -> User Management -> User Settings and make sure the settings for user self-registration are appropriate for your needs. Also, go to Admin -> User Management -> Roles and check the permissions for each role very carefully, paying particular attention to the anonymous and authenticated users roles.
  4. Check input settings. Go to Administer -> Site Configuration -> Input Formats and make sure the settings for input filtering are appropriate for your needs. Never allow anyone who is not a trusted administrator to input PHP or Full HTML, and limit the tags that can be entered by users as much as possible.
  5. Check error reporting. Go to Administer -> Site Configuration -> Error Reporting and ensure that the error reporting setting is “write errors to the log”, NOT “write errors to the log and to the screen”. (The latter setting should only be used during site development).
  6. Check your logs. Go to Administer -> Logs -> Recent Log Entries every day and look for suspicious entries. Bring any that you find to the attention of your developer or friendly technical expert.

7 Responses to “Website Security for WordPress and Drupal”

  1. AskApache

    I second Saalim, this is much better than most of the “Securing WordPress” articles mass-copied on blogs. Great info, I linked to this post on my site so I hope it gets some more press.

  2. Alfred Armstrong

    Thanks guys. I tried to keep it simple and focus on what’s practical for novices from my own experience. Hopefully that’s made it useful.

  3. thomson2008

    In order to prepare for all the changes I started with the vBulletin. I backed up the database and existing file structure and then pulled down the new package and ran the update script. I have to admit I was a few versions behind and I was starting to get a bad feeling in my bones because the latest changes had been mostly about security. It is not unreasonable to expect that forums of the size in WDS would be a hacker target.
    Social Bookmarking

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>