Home ⁄ All ⁄ Good and simple security practice for Drupal

Good and simple security practice for Drupal

Drupal is the second most popular Content Management System (CMS) in the world and as such it’s also the second most targeted and exploited.
Drupal core version is most easily identified through the txt files included with the core in the main directory.
These files qre served to anyone that addresses them (http://www.your-domain.com/CHANGELOG.txt for example), including malicious bots/scripts that constantly probe your site for vulnerable versions of the Drupal CMS core.
The easiest thing you can do is to remove all txt files from your website root so that bots have to work harder to exploit any possible vulnerabilities of your Drupal core version.
Of course the best protection is to keep up to date with Drupal core security releases.
Nevertheless security-through-obscurity is a good practice for any software in general and you should avoid manifesting software versions or information that easily identifies the release where possible.