Harden Drupal sites against security threats

While Acquia does actively monitor global cyber threats and takes appropriate action as needed, we also strongly recommend performing the following actions, especially in the presence of en elevated security threat:

Ensure up-to-date backups are safe and secure

• Initiate a production database backup
• Download a copy of recent database backups, and keep updated copies offsite
• If possible, also take backups of the file system

Ensure Drupal Core and Installed Modules are up to date

Drupal Core updates often contain security patches. Outdated, unmaintained modules often contain known security vulnerabilities. 

• Look for projects and modules covered by the Drupal Security Advisories
• Remove obsolete and unused modules
• Check for available updates under the Drupal admin console, or by using drush or composer. 

Perform a user audit

• Ensure permissions are restricted and implemented correctly
• Remove any old or unneeded admin or privileged accounts

If a breach has occurred or internal threat, an attacker or internal threat may have added user(s) to retain access.

• Check for any new or unexpected user accounts

Password Checks

Bad passwords are the most common cause of site compromise. 

• Ensure strong password requirements are enforced. A community contributed module that offers this functionality is Password Policy.
• Perform a check for bad passwords. A community contributed module that offers this functionality is Drop the Ripper

2-Factor Authentication

• Enforce 2-factor authentication (especially for admin and/or privileged accounts) to mitigate the threat of compromised passwords.

Review Site Functionality

• Check that file uploads are restricted to intended file extension type
  (e.g. Do not allow .html uploads for an image)
• Ensure any sensitive data files are uploaded to secure directories only
  (e.g. Do not place personal data ( PII ) such as CVs or job applications in public 'files' directories)
• Review controls on web forms

Attackers will often target forms that generate outbound emails ( e.g. "refer a friend" or "contact-us" )

• Try to keep messages generated from forms generic
• Ensure CAPTCHA controls are used to prevent abuse

Web Application Firewall ( WAF )

If a WAF is not already in place, Acquia strongly recommend implementing one.

Acquia Cloud Edge Protect is Acquia's WAF offering.

Edge Protect provides advanced security controls to restrict and block attacker traffic before it reaches the application stack. Common attack methods are identified and blocked automatically. WAFs are extremely effective in mitigating (D)DOS attacks.