Drupal Tutorial

It's hard to tell how truly secure your website is. We personally consider Drupal to be very secure in comparisson to other Content Management Systems out there, and it can always be improved. I'm gonna go through a handful of modules that I always keep handy and often install. Know beforehand, some module settings or even modules might not be useful to specific projects, be discrete.

CAPTCHA (Module Page)

Most people already know what a captcha is, this is the primary CAPTCHA module for Drupal. It comes with an image challenge, which is the type of captcha you see all the time with swirling letters and such, and a math challenge, it asks you to solve a simple math problem like "2 + 4 = ___".

You can expand the module to use reCaptcha, I particularly think that the concept behind reCaptcha is pretty awesome.

reCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows. Check out our paper in Science about it (or read more below).

A strong captcha is good to keep your registration pages and/or anonymous comments relatively safe from spam bots. Spam bots are pretty contrived, they register and post everywhere possible on your page. The best approach to spam is to add different hurdles that would be relatively easy for a human to do but hard for an average spam bot to do, as opposed to the single undefeatable captcha that not even a human can read.

More spam prevention modules

• Spam - numerous tools to auto-detect and deal with spam content
• Antispam - similar to spam but using third party detection systems like Akismet
• Mollom - Provides captchas and spam filtering.

Login Security (Module Page)

This concept of this module is pretty straight forward; stopping anyone from trying to guess a password, either manually or via brute force attack. The settings are very flexible, you can choose to block a user or block a host altogether. You can set it to e-mail you after x amount of failed login attempts. This will keep the guessers abay.

Secure Password Hashes (Module Page)

Passwords are stored in the form of an MD5 hash in Drupal and most CMS'. When a hacker gains access to your database through an exploit or mysql injection. 9 out of 10 times, hackers attempt to view the contents of your user table.

In order to stop them from breaking into user accounts, passwords are encrypted using one way encryption (MD5). This means that if your password is "cool" the md5 hash will look like this b1f4f9a523e36fd969f4573e25af4540. Since it's a one way encryption, you can't decrypt the hash. This stopped hackers only for a little bit of time, the reasoning is that if cool always makes the same hash, you can create hashes out of all possible word combinations and then by comparisson figure out what the hash is conceiling.

phpass uses much more secure encryption methods, besides using stronger encryption methods, it has the ability to randomly "salt" passwords during encrpytion to create a more unique value and making the hash much harder to figure out.

Are there any modules that you know or would like to know about? Share it in the comments!

Did you like this post?
Follow us to get updates!

   

Drupal core comes with the Path module included. Path provides readable URL's for your website, this helps your SEO, your image and how memorable a URL can be. This is an excerpt from Path's project page at Drupal.org:

For example, assume you want to post your resume for potential employers. Without the paths module enabled, the URL to view your resume would be something like yourdomain.com/node/view/26. Using this module, you could create a new URL to your resume such as yourdomain.com/my/resume or yourdomain.com/resume.html.

This module is extremely helpful for SEO, as it can include important keywords in the URL of your website. This is very important in order to place well in the search engine listings.

Let's say that you have a post "10 jquery slideshow plugins" and without path it would read yourdomain.com/node/154, nobody wants that, if you thought it didn't matter, now you know. If you're blogging, you want to include those important words in the URL, added to that, you want to include a reference to the date when your article was posted, for example: yourdomain.com/blog/02162010/10-jquery-slideshow-plugins. It can become very tricky to ensure that this pattern is always followed in sites where a lot of content is pushed in, specially by multiple users. Irregular patterns will produce irregular results, so the solution is simple, Pathauto.

Pathauto's nature is almost self-explanatory. You create URL patterns for each content type to ensure that the path for every post is nice and clean. A pattern uses replacement tokens (kindly provided by the token module). This means that when you are editing the pathauto pattern for your "article" content type, you can do articles/[mm][dd][yy]/[title-raw] and each time a post is created, it will fill in the blanks for you.

Did you like this post?
Follow us to get updates!

   

If you are a blogger that is going for gold and you've gone the path of Drupal, you probably want to know how to deal with a "Digg Spike" which means that when your site hits the frontpage of digg.com, there is a huge traffic surge of about 10k hits in about an hour.

There's a pretty interesting tool to help deal with this problem, this tool is called "Static Caching" and it is pretty simple in concept, it takes the rendered output of a page that is dynamically generated and stores it as an HTML file, next time someone hits that page, Boost will check for a cache file and if it finds it, will serve it up and bypass the database completely.

This is useful, specially in Drupal because it can take at LEAST 90+ queries to generate a page. multiply by the amount of users at any given point and, if you're on a shared host that usually leads to a server meltdown:

Here's a rough example:
Your website requires 100 queries to fully load. If you get 5000 visitors in one hour that is a grand total of 500,000 QUERIES
That might give you an idea as to why sites implode and the server throws up all over the place sometimes, it's too busy serving to serve all the others. On top of all that you have the bootstrapping process for Drupal which is CPU and memory intensive (Running all the PHP scripts - 10mb~ of ram a strap)

You have learned from this experience and you install Boost. This module stores all rendered pages viewed by anonymous users as HTML files and uses a special .htaccess file to check for the cached file and serve it up without ever touching Drupal at ALL. This means 0 queries to the database and 0 php ran. You spend all the memory and CPU power serving up static pages which is DRAMATICALLY lower than bootstrapping Drupal, a serious improvement.

Give the Boost module a try, be nice to your server. Boost Module on Drupal.org

Did you like this post?
Follow us to get updates!

   

A pretty good amount of hosting providers offer cPanel with their hosting accounts. Most users deduce that there's not much you can do in terms of a cron job, but the opposite is true. It is quite easy to set up a cron job on Cpanel. No need to install the useful (but now unnecessary) poormanscron module.

To set up a cron job on your cPanel account, log in at www.example.com/cpanel. Scroll all the way down until you see the Cron Jobs icon. Go in there and select Standard. You'll get a from titled "Entry 1". On the field "Command to run" enter the following:

wget http://www.example.com/cron.php > /dev/null

Replace example.com with your domain of course! To have it run every hour, set the minutes to 0 and set the rest of the options to the first on it's list.

That's it! Save your crontab at the bottom and you're done.

Did you like this post?
Follow us to get updates!

   

It's interesting to see how many sites get taken offline for extended amounts of time, the easiest recipe is to find a search form or something similar, then put it on refresh on 20 different tabs, ask your friends and bring a tiny site down. More "advanced" techniques involve using software that will exponentially increase the amount of http requests they can make. No one site is safe from a DDoS (Distributed Denial of Service Attack) of enough magnitude, most major sites on the web (amazon, ebay, recently twitter) have suffered at one point or another. The most you can do is exercise some preventive medicine.

Drupal has an awesome tool for implementing flood protection. Two functions that work together in order to keep track of requests and help you deflect them when they become too much. Let's say you have a function that handles a request and could potentially be exploited. It's not very difficult to tell what's going on here, the two players are flood_is_allowed() and flood_register_event(). flood_is_allowed() checks to see how many flood events have been logged, the integer you pass it is the maximum amount of events you want to allow (400 is just random, use what you think is best). If it's hit the maximum, it will return false (hence the !) and you can deal with it accordingly, otherwise you register the event and move on with the execution. if your project is large enough, a firewall is always better since it does not have to hit your database, however this can be tailored to fit many different scenarios. I will continue blogging about simple ways to protect your site from your code and through module usage, check back soon!

Did you like this post?
Follow us to get updates!