Drupal 7 Security Review Module

Welcome to another episode of the Daily Dose of Drupal, I am Shane and today we are going to be talking about the Security Review Module. But first you can follow me on Twitter @smthomas3 or go to codekarate.com, look at my other blog post and Daily Dose of Drupal videos and also sign up for the newsletter.
So let’s talk a little bit about security; obviously if you’re building website you’re probably aware that security is of course important. One thing that the security review module allows you to do is it scans your site and it takes note of potential security issues that may be lurking on your Drupal website.

This isn’t going to catch everything, it’s not a catch all that you can … it’s not something that you can say where you passed all those test so that your site is 100% secured but it does give you a good baseline to at least check over some common security mistakes on a Drupal website.

This may not be something you need to install on every one of your Drupal sites especially after you’ve build quite a few, however if you’re just getting started with Drupal or you’ve never used the module before, it may be worth installing it on a few of your sites so just to take a look at it and at least look over some of the potential error messages.

Another thing to note; just because it does show up an error message, it does not 100% mean that there is a big security problem, it’s just an indicator that there may be something wrong and you should give it some attention. This is going to be a very short episode because it’s a pretty self explanatory module. I just wanted to make you aware of it and show you quickly how it works.

The first step is of course to install the module so I’m going to hop into Drush and download the module, I will come back to my Drupal website here, go to the modules page and I will find the security module and turn it on, I will then click Save and now the next step of course it says you should go to the Permission’s page and if you scroll down to the Security Review section there is an Access Security Page Review permission and it run Security Review Checks Permission.
Generally this is probably going to be only for Administrators or people that are managing the configuration of the site so we’ll go ahead and leave that at the defaults. The next step is to go to this Report’s tab and this is where you’re actually going to find the Security Review link to perform the review, we’re going to first click on the Settings page here; here you select which roles in your site you would consider untrusted.

So it defaults to anonymous and authenticated, it can also select an additional role if I wanted to if they were considered to be untrusted, you can skip specific checks … this would be if you … if one keeps coming up as a red flag here and you’re aware of it and you know that there isn’t actually an issue, you could go ahead and skip it so that it doesn’t keep showing up on the reports, we’ll go ahead and hit Save. There is a very comprehensive Help section here so that’s why this is going to be a quick video because if you have any questions, it’s all pretty much right here.

There’s a lot of information about how to fix the various errors and what you need to do if there’s any issues that popped up, we’re going to the Run and Review and go ahead and click Run Checklist. It’s going to go through a couple things here and as you can see it gave me some results and looks like most of them in here are green and I do have a few issues on this site so the next step would be of course you can see there’s details on each of this, if I go to one of the green ones it just gives you a little bit of information, if I go here to the Error Reporting or the Error Issue it’s going to give me information that in this case I’m displaying errors to my screen and it says he should avoid information disclosure as a form of hardening your site and so I can go to the Alter Error reporting settings, change my error messages to None, click Save.

Now if I come back to my report, a Security Review Report, you can see it’s still flagged here as a potential issue, I will need to then re-run this and you’ll notice now I’m down to 1 and then I just repeat the process for every check that comes up as red and you can look into it, it gives you plenty of information, it’s extremely self explanatory for the most part and if it’s not it has plenty of details on to how you can fix specific errors and security should never be taken lightly on any Drupal website or any website for that matter so this is an important module especially if you haven’t paid much attention to security in the past, it at least can get you started in the right direction of thinking of building a secure Drupal website.

So go ahead and run the module, see if you have any security issues on your site and get them fixed as soon as you can. And that’s it for this time on this episode of the Daily Dose of Drupal; we’ll be back again next time with another exciting episode, thank you for watching.