Drupal core is very secure by default, but you can unknowingly open vulnerabilities with insecure configuration. An example of this is how allowing anonymous, untrusted users to use any HTML tag in comments opens a cross-site scripting attack vector on your site.
I'd like to introduce the Security Review module for automatically checking for the existence of insecure configuration and maintaining a secure Drupal site. With the first release come the following checks:
- Insecure file system permissions
- Insecure input formats
- Dangerous code in nodes and comments
- Printed errors
- Private files directory not set outside the web root
- Dangerous allowed upload extensions
- Permissions granted to untrusted roles
Security Review also looks for the common attacks of SQL injection/system probing and brute-force login attempts.
The module reports the result of its checks as pass or fail and provides details on an accompanying page. Checks may not be 100% accurate on every system so they can be skipped from being run. I often skip the error reporting check while on a development instance of my site. The checks are explained in detail and where applicable there are links to online documentation.
Future plans for the module include popular contrib module checks and notification support. I encourage you to give the module a run on your sites and let me know what you think in the comments!
