84. Steps for launching a drupal site ?

Performance

·         Go to Site Configuration -> Performance and within the Cache area enable Cache pages for anonymous users and Cache blocks by clicking in the checkbox if necessary. You should see checks appear.

·         Within Bandwidth Optimization enable Compress cached pages, Aggregate and compress CSS files, and Aggregate JavaScript files.

·         Turn off unnecessary modules, such as Devel.

User Interaction

·         Protect your forms against spam and attacks.

·         What kind of forms are anonymous and authenticated users able to access on your site?

·         Have you enabled CAPTCHA, reCAPTCHA, or an anti-spam service such as Mollom?

·         Email: Verify that the site email address in /admin/config/system/site-information is not a test address. Also verify email addresses in other modules that send notifications, and verify the text of email messages your site generates.

·         Index your site for search at search settings and test.

Domain

·         Check if one of the domain redirect options is enabled in the .htaccess file. Either redirect URLs without www. or vice versa.

·         Web Services

·         Update API keys for modules that make use of them, such as Mollom, Twitter, or Google Apps.

Security

·         Check that your admin passwords are secure.

·         Upgrade Drupal Core and Contrib modules to the latest version.

·         Turn off on-screen error reporting at admin/config/development/logging. (admin/settings/error-reporting for Drupal 6)

·         On the Permissions page, verify what permissions anonymous and authenticated users have been given.

·         On the User Settings page, verify that account creation settings are as you intend (can users create their own accounts, and do they need approval?).

·         Check Reports > Status report and make sure there are no warnings or errors.

Backups and Maintenance

·         Cron - If cron is not running, your database will get bloated.

·         Backups - Regular database backups are essential. Check out the Backing up and migrating section for more information.

·         Statistics - You'll want to monitor your site going forward. Do you plan to use Drupal core statistics, or have you set up another service such as Google Analytics?

·         Check Reports > Recent log entries for errors and warnings, such as missing files or URLs. Check that there are no red flags in Status Report.

Quality Assurance

·         Remove test content, such as "lorum ipsum" text, dummy users, or content generated by the Devel module.

75. Explain Security features of Drupal ?

Drupal has a very good track record in terms of security, and has an organized process for investigating, verifying, and publishing possible security problems.

Drupal's security team is constantly working with the community to address security issues as they arise. More information about this process can be found in that section of the handbook.

Anyone using Drupal should subscribe to the security mailing list (by editing your account profile) in order to automatically keep up to date with the latest security advisories of all types (see below).

 

Is open source software secure?

The short answer is that open source software is as secure or more secure (in general) than commercial software. A good summary of the relevant issues can be found in this article from IBM: The security implications of open source software. The increased security of using open source was cited as one reason the White House switched to Drupal.

 

How Drupal Addresses Common Security Vulnerabilities

Drupal's API and default configuration are designed to be secure when used in their default modes. Issues like Injection, Cross Site Scripting, Session Management, Cross Site Request Forgeries, and others all have standard solutions in the Drupal API. For a more detailed review of the topic please read the Drupal Security Report.

Why does Drupal have more (or fewer) security advisories than another project?

The absolute number of security advisories (especially when including contributed projects) is a totally meaningless number and should never be used for comparison. Drupal has over 7000 contributed projects which are scrutinized by their users for any potential problem, and a security advisory may be issued for a relatively minor issue. For more information read Security Risk Levels

A security advisory also indicates the discovery of a potential problem, and also that the problem is resolved already. It's extremely rare that such security holes are exploited in the wild prior to the security fix being announced in the security advisory. Thus, your most important protection is keeping Drupal up to date whenever a security advisory is issued for Drupal core or contributed code you are using.

On live sites, what vulnerabilities have been found or exploited?

Professional security audits of Drupal sites have generally found that the vast majority of security holes (90% or more) are present in the custom theme or modules written by that site's developers. That code did not get the same public scrutiny that all code on drupal.org receives.

In addition, problems at the server level (such as using insecure protocols like FTP) are more likely to be the means of a successful attack than a vulnerability in Drupal - especially Drupal core.

For information on how to manage security in Drupal, see the Securing Your Site section of the Drupal Administration Guide.