Resident Server Administrator and all around Linux Guru, Matt Critcher, recently posted an entry on his blog about Drupal Security and PCI compliance. Matt has been running Drupal on his site for a while now and it seems to be working out well for him. I always look to Matt for security issues because he has an enormous knowledgebase between his ears when it comes to that sort of thing.
Making your website secure is one thing, but going the extra mile and making it PCI compliant is another thing. In the past I have recommended PCI Compliance only to our clients that do e-commerce, or gather sensitive client data, but it’s rapidly becoming a buzzword in the industry. I first learned about it in 2006 at a conference we attended in Las Vegas.
My business partners and I even be sure to give us a shout.
This site is running in a CMS called Drupal. It, like most CMS systems, allows users to easily create, edit, and delete content and manage many features of a website. But, like most, it is not without a few security flaws. Me, being a geek, and having more than a passing interest in security, decided to try to make this site a little more secure, and possibly even PCI Compliant.
It is possible to make Drupal PCI Compliant, but it takes a little work. Now, for the record I don’t have nor do I collect data that falls under this standard, but some people do, and some run Drupal. There’s not much information about the subject on the net, so I figure it’s worth writing about. But be warned that there is a trade-off. By default, Drupal is set up to be more convenient for its users. Putting these modifications in place will make you login EVERY time you close your browser window. To me, that’s not a problem. I actually prefer that to be the case. Others, well, you may not like it as much. YMMV.
First thing that you need to do is to force Drupal to use HTTPS for login. There are tutorials all over the net on how to install mod_ssl or Apache-SSL and configure it for HTTPS traffic, which is a pre-requisite for this. There is currently no drupal module that does just this, but you can get around it using .htaccess. In the root of your website, put the following somewhere in the .htaccess file
You can read the rest of Matt’s post here: Making Drupal More Secure | www.mcritch.com