How to Save Drupal from Being Hacked!

Submitted by expert on 21 November, 2014 - 20:01

Tired on incessant hack attacks for my CMS(like Wordpress, Wikimedia, Drupal) based sites I've finally arrived at a solution using which seems to be the best as of now and if you have any better idea, just let me know.

Assumption:

  1. Almost all hacks will try to land a PHP file in the site directory or in the temp directory and execute it.
  2. The Apache user I assume is "www-data". It could be your name or anything.
  3. This will not talk about running PHP code without actually creating a file on disk. For example running through Mysql etc
  4. My account is on VPS if it on shared I'm not sure if it is risky to use it.

Summary of Solution

We will deny permission to create new files within site installation. But wherever this can't be done, we will deny execution of PHP.

Most of places we will have no write/change access for Apache user and we will disable execution of PHP code created in a new file in sites/default/files

Note: root can be replaced with any other user but it should not have any relationship with the Apache user account.

Steps

  1. Make full Drupal installation (files+folders) as root owner with 755 as permission. Except for the temporary directory.
  2. Do all files/directories in the files public directory(sites/default/files) have rwx permission with owner & group as that of the Apache user. For other users it you give no access or only rx access
  3. But all the .htaccess in whole site( even in sites/default/files) should have root.root as owner with 755 as permission.
  4. Public files directory top level(ie sites/default/files) should be owned by root with permission +t. ie "1777" permission. So you "chown root.root sites/default/files"; then do "chmod 777 root.root. This disallows anyone modifying sites/default/files/.htaccess or even removing it. At the same time creation/change of all other files will be allowed within this files directory.
  5. Place .htaccess with code as described in https://www.drupal.org/node/615888. Since all directories except within sites/default/files don't have write access the only place hacker can place a hacking code is in this directory. But using this .htaccess they will not be able to run the PHP code.

Other Precautions

  1. in user account where your site is located, change the ownership of all top level directories/files to another user. I mean hacked code with www-data permission should not be able to change any of your files like .bashrc etc
  2. Also deny running cron jobs which can allow hacker to run any code. So I've placed www-data within "/etc/cron.deny".

Note:

FAQ on SA-CORE-2014-005