Tips on Drupal setup, security, and maintenance

Below is a small collection of tips for Drupal, mostly centered around security and maintenance.

File Permissions and Ownership

Get familiar with your hosting environment and use this guide from to setup the correct file permissions and ownership. Not only is this important for the site to function properly, but it can also prevent many security exploits.

The basic concept is to make sure that the web server is only allowed “write” permissions in the file folder(s), and only has “read” permissions for everything else. This can stop certain exploits that would allow unauthorized users from being able to create or modify files on the site. 

The infamous 2014 Drupalgeddon exploit allowed hackers to execute arbitrary PHP code, which could then be used to create or modify site files, but with correct file permissions and ownership your site would be protected from this part of the exploit. Drupalgeddon allowed for SQL injection attacks, so you will still need to stay vigilant with Drupal updates and patches. 


Being able to quickly get an overview of your sites current security setup is very helpful, and the Security Review module can check your site against the best security practices for Drupal and give you suggestions. Note: you may have a unique hosting situation, and some of the suggestions may not be applicable to your site.

What if you already have a site up and running? The Site Audit module can be used to provide suggestions for setup like the Security Review module, but it also will perform a few scans for common exploits that may be hidden on the site / database. For example the Menu Router table is commonly used to add exploits to a site. The module install is a bit more involved than normal, but it’s well worth the effort.

The Hacked module has a pretty scary name, but is also a great resource for checking your site. This module will download fresh copies of your Drupal files and modules and then compare them with your site to make sure there haven’t been any unauthorized changes. This also can be very helpful if you are trying to figure out if there has been any custom modifications to a module.


Updating Drupal and its modules can be a real pain, and that’s where Drush can help. This is a command line based tool for Drupal sites that can do many common tasks such as clearing all the caches, reset user accounts, upgrade modules, and much more.

If your host allows terminal access (SSH) it is well worth the effort to learn Drush just for its upgrading function. With the command “drush up” it will look for updates, automatically download them, make a backup copy of the previous module, install the upgraded module, and then run any database upgrades that may be pending. The best part is if there were to be an error during this process, Drush will roll back the changes and let you know what happened.

Another small benefit is the ability to “lock” modules, which will make Drush skip these modules when upgrading. This can be very helpful if you are having to use a modified contributed module, and don’t want to accidentally overwrite the modification when updating.

Helpful commands

Drush cc all Clear all caches
Drush up Update Drupal Core and Modules. The command won't upgrade modules to a different point release (1.x to 2.x)
Drush up module Update a specific module, could use drupal to upgrade Drupal Core
Drush updb Run any pending database updates
Drush dl module --select Allows you to download a specific version of a module (using the --select option). Useful for upgrading modules to a newer point release (1.x to 2.x)
Drush en module Enable a module
Drush dis module Disable a module
Drush uli uid Get the one-time login link for a user, could use “drush uli” for main admin account.


by Scott Friday

How helpful do you find the information on this page?

Add comment

Posted: July 14, 2016