header tail
Drupal security best practices

Drupal security best practices

Drupal security best practices

home / Archives for 2021 / Page 6

With automated bots and hackers constantly searching the internet for sites to attack, keeping your Drupal website safe and secure is vital.

Just as shop owners lock up their physical shop premises, your Drupal website needs to be ‘locked’ and protected against hacking, ransomware infections and other online security threats.

Fortunately, Drupal is one of the most secure CMS platforms available, backed by a global developer community and a dedicated security team. The CMS also has its own dedicated team of security experts, an impressive track record for security, and a robust process for overcoming security vulnerabilities as they arise. So just using Drupal is a great start in terms of website security.

In this blog, we’ll cover why Drupal security is important and share ten expert Drupal best practices to help keep your site protected.

why Drupal security is important

Without proper security, your organisation could experience:

  • Data breaches
  • Reputational damage
  • Legal implications (e.g. GDPR violations)
  • Costly

Web security is also a search engine ranking factor. Secure websites are prioritised in the search results and therefore more likely to gain organic traffic.

Of course, fixing security issues can be costly too, and the impact of security breaches (such as lost customers and fines) may have even greater financial implications. So Drupal security is vital not just for good digital performance and user trust, but also for your bottom line.

At Pedalo, we specialise in Drupal maintenance and secure Drupal hosting to keep your site safe, fast, and up-to-date.

10 Drupal security best practices

Using our two decades of Drupal experience, we now share the ten best ways to keep your Drupal site secure and protected against online threats…

1. Use HTTPS

Without HTTPS on your website, hackers can interfere in the communications between your site and users/browsers. In fact, HTTPS is so important for website security that Google displays a ‘not secure’ message on HTTP sites to warn users.

It’s completely free – and pretty easy – to transfer your site to HTTPS so there’s no reason not to do it! You just need a Secure Sockets Layer (SSL) certificate, which you can get via Let’s Encrypt or your hosting provider.

Once your SSL certificate is activated, your URL will be HTTPS and a padlock sign will be displayed in the URL bar, thus indicating that all site communications are secure.

Need help? We offer Drupal hosting with HTTPS configuration included.

2. Keep Drupal software up-to-date

Outdated software is a common security vulnerability, so it’s vital to install the latest Drupal core updates as soon as they are available. The same also applies to any modules or themes on your site.

Updates aim to patch security weaknesses and improve overall performance; without them, your site is vulnerable to hacking and security breaches.

We cover the different methods for updating the Drupal core in our ‘Drupal: how to update’ blog. Alternatively, your Drupal agency may cover regular updates as part of their support package.

Read our full guide on how to update Drupal or talk to us about our Drupal maintenance services to ensure your site stays secure.

3. Choose secure Drupal hosting

Having secure hosting is an important element of website security and should always be kept in mind when choosing a hosting provider. Opt for a provider with:

  • Firewall protection
  • Malware scanning
  • Regular backups

Secure hosting is particularly important if you’re on a shared hosting plan, as your site will be vulnerable to attacks made through other sites using the same server.

It’s a good idea to check with your host what security measures they have in place and how they respond to any security issues on their server. If their security procedures are insufficient for your needs, it’s advisable to upgrade your hosting package or switch provider.

If your current setup isn’t cutting it, explore our secure Drupal hosting solutions.

4. Use strong login credentials

Insecure login details and passwords are another common way that Drupal sites are hacked. Access is often gained via brute force attacks, where hackers attempt various username and password combinations until one is successful.

Drupal automatically limits brute force attacks, but choosing strong passwords is another important way to increase site security. It’s also a good idea to avoid obvious usernames such as ‘admin’.

Strong passwords include a combination of letters (both upper and lower case) alongside numbers and symbols. The longer the password, the better – aim for 12-14 characters to keep your site really secure.

For additional security, you might want to set-up two-factor authentication (2FA). This means that users have to login in two stages – firstly, by entering their username and password, and then by providing a one-time passcode.

You can add 2FA to your Drupal site with the Google Authenticator module (you’ll also need to download the related app for passcode generation). However, it’s worth bearing in mind that 2FA isn’t compatible with all Drupal modules and themes, so speak to your Drupal support agency if you encounter any problems.

5. Schedule regular backups

Backing-up means making and storing a copy of your Drupal site files and database. These copies can then be used to get your website back online again in case of a security breach or virus.

The more regularly you backup, the less data you’ll lose if your site is ever hacked or infected. It’s worth considering how often you make changes or add new content, and how easy it would be to re-do this work if it was lost – this will help inform how often you should schedule backups.

The simplest way to backup on Drupal is with the Backup and Migrate module. Simply install the module, and then tick to enable automatic backups and set your desired frequency in the module’s settings.

Our Drupal maintenance packages include automatic backups for complete peace of mind.

6. Block malicious bots

Automated bots and crawlers are constantly searching for website vulnerabilities to hack or exploit. You can protect your Drupal site against these with various modules:

  • Captcha helps prevent bots from making contact form submissions
  • Honeypot also reduces bot form submissions
  • SpamSpan Filter prevents spambots collecting email addresses from your site

However, it’s also worth blocking bad bots at server level for additional protection. You can do this through your hosting provider or by adding the following code to your .htaccess file:
RewriteEngine OnRewriteCond %{HTTP_USER_AGENT} ^.*(agent1|Wget|Catall Spider).*$ [NC]RewriteRule .* – [F,L] 

Please note that if you add the code yourself, make sure not to block the Google crawling bot or you might find that you suddenly stop seeing any organic traffic! 

For additional protection, block harmful bots at the server level or ask us to handle it via our hosting services.

7. Update user accounts

The more users (and logins) you have for your site, and the greater access and permissions users have, the more your site is at risk of hacking and other security breaches.

The main Drupal role options (in order of decreasing capability to make website changes) are Administrator, Editor and User. However, Drupal’s flexibility means that an unlimited number of different roles and permissions are possible.

As administrators have the greatest permissions in terms of making changes on your Drupal site, this role should be reserved only for the website owner and a limited number of other trustworthy users.

We recommend reviewing your users regularly to ensure that people have the correct permissions. It’s also a good idea to delete user accounts when people stop contributing to your site. You can find out which users are registered and check/update role permissions under ‘People’ in the back-end.

Our Drupal maintenance service includes user audits and security checks to reduce your risk exposure.

8. Clean up your Drupal database

Keeping your Drupal database clean and up-to-date helps reduce the risk of malware and ransomware infections.

We recommend regularly checking your website database and deleting anything that is no longer needed. But make sure you backup first – just in case you accidentally delete something important!

The easiest way to cleanse your Drupal database is with the Clean up module. However, if you’re more technically-knowledgeable, you may prefer to use phpMyAdmin instead.

9. Run regular security scans

To keep your site secure, it’s important to scan regularly. You can do this quickly and easily with an online scanner such as Sucuri or Drupal’s Security Review module.

A scan will highlight any possible security errors and vulnerabilities on your site – these should be addressed as soon as possible. If you’re not sure how to resolve any problems, read this great Sururi informational guide or contact your Drupal agency.

10. Be prepared!

By following our tips above, your Drupal site will be well-protected and secure, but it’s also important to create a disaster recovery plan in case the worst ever happens.

A disaster recovery plan should include details such as: your user account names and passwords; the steps you’d take to resolve any security issues; how you’d inform staff, users and stakeholders; where backups are stored; and any possible data protection or legal implications.

It’s may be worth asking your Drupal agency to write this for you to ensure it’s comprehensive and technically-robust. However, if you’d prefer to draft it yourself, Drupal.org has lots of useful information in this article about how to respond to website hacking.

We can help draft a professional, technical recovery plan through our Drupal support packages.

11. Sign-up for Drupal emails

As a final bonus tip, we also recommend signing up to the Drupal security mailing list. This will ensure you stay up-to-date with all of the latest security notifications and announcements.

 

We hope you enjoyed this blog about Drupal security best practices. For more expert Drupal tips, read our ultimate Drupal optimisation guide which covers everything you need to know about optimising and maintaining your Drupal website.

Want help securing your Drupal site?

With over 20 years of experience, Pedalo is your trusted partner for secure Drupal websites. We offer:

how to do a WordPress website audit (with easy-to-follow checklist)

how to do a WordPress website audit (with easy-to-follow checklist)

how to do a WordPress website audit (with easy-to-follow checklist)

home / Archives for 2021 / Page 6

An audit is a great way to ensure your WordPress site is performing effectively and meeting your company’s goals.

We offer detailed website audits covering everything from code quality, usability, and server configuration to speed, user experience and accessibility, but there are also plenty of simple WordPress audit checks you can do yourself…

why you need a WordPress audit

Is your WordPress website performing at its best?

Conducting a WordPress audit allows you to check how your website is functioning across key criteria, so that you can improve things and make sure you’re achieving the best possible online results for your company.

Our ultimate WordPress optimisation guide covers everything you need to know to get your WordPress site up-to-date, secure and perfoming brilliantly, but in this blog we focus specifically on what to check in a WordPress website audit.

WordPress website audit checklist

1. Check software & plugin versions

Both WordPress itself and any plugins/themes you use need regular updates to fix bugs, patch security issues, and maintain performance. It’s for these reasons that checking and updating your software version is task one on our WordPress audit checklist!

You can find out whether you’re using the latest version of WordPress in ‘Updates’ in the left-hand menu of your dashboard. This page also shows whether your plugins and themes are up-to-date.

If needed, updating to the latest WordPress and plugin software versions is simple. Just click the relevant ‘update’ button(s). Make sure to back-up your site first, just in case anything goes wrong!

2. Check site speed

Speed is a vital component of website performance, with faster sites having better user experience and more conversions. Speed also contributes to search engine performance, with slower sites penalised and appearing lower down on search results pages.

You can check the speed of your WordPress website using Google PageSpeed. You’ll be given scores for desktop and mobile of between 0 and 100 – aim for scores above 90 for optimal performance.

Once you’ve checked your scores, head over to our blog where we’ve got loads of tips to improve your WordPress website speed.

3. Check blogs & content

By adding new blogs and content to your site, you signal to both users and search engines that your website is active, interesting and worth browsing. In the ‘Posts’ section of your WordPress dashboard, you can see when you latest blogs were published, and if any further articles are scheduled.

How often you should post new content depends on your organisational capacity and goals; you may want to add blogs daily, weekly or monthly. Whatever your aim, we recommend creating a content plan and scheduling posts in advance. Checking your latest content and content strategy should therefore be included as part of your WordPress audit.

It’s also important to keep an eye out for comments on your site. WordPress comments are automatically held in moderation, so check the ‘Comments’ section of your dashboard to see how many comments are currently needing to be checked and published/deleted.

For more tips on optimising your WordPress content, read our Ultimate WordPress Guide.

4. Check WordPress security

It’s vital to scan your WordPress site regularly to check for malware, viruses and suspicious code. Having a hacked or infected site can cause massive problems – both financially and in terms of reputational impact.

We recommend installing the Wordfence plugin, which includes website security hardening, a firewall to block malicious traffic, and a scanner that checks for malware. To scan your site for any security issues, simply go to Wordfence > Scan and click ‘Start new scan’.

If there are any problems, Wordfence will suggest how to fix them and get your site secure again. We’ve also got lots of great advice for optimising WordPress security on our blog.

5. Check for broken links

A broken link is a link to a webpage that doesn’t work. It’s frustrating for users – who will be directed to a 404 error message and may then choose to exit your website – and it’s also a negative signal to search engines.

You should check regularly for broken links with an online tool such as Dr Link Check. If you have any, you can then go to the relevant page and update or remove the link.

We recommend conducting broken link maintenance at least every few months, or more often if you create a lot of content. You may find it helpful to install the WordPress Redirection plugin, so you can set up redirects for any old/changed URLs.

It’s also a good idea to create a friendly 404 error page to keep users happy when they encounter a broken link. If you don’t already have a 404 page, you can create one for your WordPress website with the 404page plugin.

6. Check functionality

Your WordPress audit should include checking your website’s design and functionality. This can be done simply and easily by looking through your site and testing any interactive features, such as buttons and contact forms.

Giving your site this type of ‘once-over’ will highlight if there are any code, formatting, design or operational issues that need to be investigated and/or fixed. For more details on getting your WordPress site performing optimally, read our Ultimate WordPress Maintenance Guide or contact your WordPress agency.

7. Review analytics

You can track your site’s analytics simply and easily with a Google Analytics plugin such as MonsterInsights. Once installed, just go to Insights > Reports in your WordPress back-end to see your site data.

As part of your site audit, you should review your analytics and consider what’s working well and what isn’t. For example, which are the most popular website pages, and which are the least popular?

Once you have this information, you can then make data-driven edits on your WordPress website to optimise performance.

8. Check SEO performance

It’s a good idea to give your site an SEO health check as part of your WordPress audit. You can do this using the free Ubersuggest SEO analyser or with various other, similar online tools.

On Ubersuggest, just type in your URL, select your language/country and click ‘Search’. A report will be generated showing your organic traffic levels, domain score and number of organic keywords – it’s worth recording this as part of your audit and then trying to improve your SEO stats over time.

If you go to the ‘Site Audit’ section in the left-hand menu, you’ll then see a more detailed SEO health-check for your site. This includes a list of issues needing attention, such as pages with low word-counts and poorly-formatted URLs.

To improve your site’s search engine performance, fix these issues and also read our Ultimate WordPress Maintenance Guide which includes loads more WordPress SEO tips.

9. Check mobile compatibility

There are two great tests you can use to check how your site functions across different screen sizes and devices – the Responsive Test and Google’s Mobile-Friendly Test. Together, these give a great insight into how your WordPress site appears on smaller screen sizes and whether you’re meeting mobile browsers’ needs.

If necessary, you can then improve your site’s mobile compatibility using the advice in our WordPress Optimisation Guide.

10. Check your database

The more you update your site, the more your database becomes clogged-up with old content, deleted comments, unused plugins and more. It’s therefore worth looking through your database to see what is there and check for surplus items as part of your WordPress audit.

To keep your database tidy, you can schedule automatic database clean-ups with a plugin such as WP-Sweep. It’s also a good idea to go through your plugins regularly (in ‘Plugins’ on theWordPress dashboard) and delete any that are no longer needed.

11. Check backups

It’s vital to back-up your website regularly, so that if you get hacked, infected with ransomware or encounter any other major problem(s), you can get your site online again quickly.

As part of your audit, you should check and verify your site backups. Make sure that all relevant data is being stored, that backup copies are being saved securely in different locations, and that files are not corrupted. This will ensure you have the best chance of being able to reinstate your site if disaster ever happens.

It’s also worth checking your backup schedule – as the more regularly you backup, the less data you’ll lose if you need to revert to a backup version. Check backups are being made frequently enough for your needs, and also that backups are scheduled to take place during low traffic periods when they’ll have least impact on site speed and user experience.

Site backups are often included as part of your WordPress agency’s services or hosting package. Alternatively, they can be easily managed with a backup plugin such as BackupBuddy.

12. Check user accounts & passwords

WordPress allows you to add different types of users to your site, each with different permissions to make edits and changes.

As user profiles can pose a security risk, it’s a good idea to review your site users as part of your audit and check that people have only the level of permissions required. This can be done the ‘Users’ section of your WordPress dashboard.

It’s also a good idea to update and make a note of user passwords as part of your audit. Make sure to choose strong passwords, including a random combination of letters, numbers and symbols.

13. Check accessibility

With a fifth of the population experiencing a long-term disability and UK law stating that services (including websites) must be accessible for everyone, it’s vital to check how accessible your site is.

As part of your audit, we recommend evaluating your website’s accessibility with Wave or another, similar tool. If your site needs improvements to increase accessibility, ask your WordPress agency for advice.

14. Review admin tasks

Finally, your audit should include a review of the general, less frequent admin tasks required as part of website management and maintenance. We suggest checking:

  • Domain renewal: Most websites require regular domain name renewal, so make sure this is on your audit checklist. Domain renewal can be done either directly with your domain provider or through your WordPress support agency.
  • Disaster recovery: A disaster recovery plan details exactly what you would do if your site crashed or encountered a security problem. Make sure your plan is up-to-date with the latest legal requirements, website details and organisational procedures.
  • Hosting provider: Most hosting packages renew annually, so it’s a good idea to review whether your current hosting provider is meeting your needs. Factors to consider include speed, security, reliability, hosting type and cost.
  • SSL certificate: To keep your site secure, your SSL (Secure Sockets Layer) certificate needs to be renewed every two years. This can be done via your hosting provider or Let’s Encrypt.

 

Phew – your WordPress audit is complete!

This will give you a great overview of how your WordPress site is functioning and any areas that need improvement or maintenance. To action these, read our ultimate WordPress optimisation guide, where we explain everything you need to know about improving and optimising your WordPress website.

Alternatively, if you’d like expert WordPress website management or a more detailed audit of your website’s current performance, please get in touch and we’ll be happy to help.

how to choose a website agency

how to choose a website agency

how to choose a website agency

home / Archives for 2021 / Page 6

Anyone can build a website, but if you want to maximise success online, you need an expert website agency to support you and optimise results.

As it’s a new year, now is the perfect time to review your current web agency and consider whether it’s meeting your needs.

With hundreds of agencies to choose from, it can be hard to know which one is right for you. In this blog, we cover the key factors to consider to ensure you make the best possible choice…

1. expertise

Does the agency specialise in your website’s CMS, whether that’s WordPress, Umbraco, Drupal or something else?

This is vital to ensure the agency knows the most effective ways to keep your site up-to-date, optimise performance, add functionality and maximise security.

At Pedalo, we specialise in Drupal and WordPress. Our developers live and breathe these software packages and regularly contribute to the open source community.

2. client list

Who are the agency’s current clients? Do they have clients with similar needs to yours in terms of:

  • size of organisation?
  • sector / business area?
  • website functionality?
  • budget?
  • technical knowledge?

And, most importantly, are the agency’s clients satisfied with the service received? It’s usually a good idea to ask for testimonials, reviews and/or case studies.

At Pedalo, we’re proud to have a wide range of happy clients including World Cancer Research Fund, the National Film and Television School, Ten Health and FitnessAnti-Slavery International and many more.

3. chemistry

Is the agency enthusiastic about its clients and their sites? Do they seem passionate about your particular website, and how they can add value and improve results?

Do you get along with the agency’s team? Are you able to ask questions and do you have confidence in the answers and advice given?

At Pedalo, we create genuine digital partnerships with clients and are passionate about making clients’ websites as successful and effective as possible. We love working collaboratively, and always tailor our services to each client’s unique needs.

With our flexible on-demand services, we rely on the quality of our work and customer care to keep clients coming back, with most clients partnering with us for years and undertaking multiple projects.

4. working style

How does the agency work? Aspects to consider include:

  • how they share timelines and work in progress
  • how and when you can contact them or ask questions
  • whether they offer project development only or ongoing support and maintenance
  • how your budget is spent

At Pedalo, we give clients access to Trello software to log all website issues and requirements. We then regularly respond and update on progress, so that work status and costs are always up-to-date and transparent.

We’re also passionate about providing ongoing support and optimisation for websites. As well as meeting any initial requirements (such as building/designing a website), we offer expert ongoing support to keep things up-to-date, secure and functioning optimally.

5. track record

How long has the agency been working? There are new web agencies popping up all the time, but longevity is one of the best signs of successful working practices, high-quality services and happy clients.

Pedalo was founded in 2000 and we’re still going strong more than two decades later! We’re proud to have worked with hundreds of satisfied clients and delivered numerous business-enhancing results.

6. value for money

This is not just about cost, but also the value for money and the value of peace of mind.

A highly experienced agency may charge a higher hourly rate but is likely to perform work more quickly and anticipate potential problems in advance, thus saving vital time, money and energy in the long-run.

At Pedalo, we have the added cost-effectiveness of offering our website services on-demand, so you pay for exactly what you need, when you need it. This gives clients more flexibility and control than paying a monthly retainer.

 

We hope that by considering these key factors, you’ll find a website agency that is just right for you!

If you’d like more information about Pedalo’s on-demand website agency services, please give us a call – we’re always happy to chat.