├── LICENSE └── README.md /LICENSE: -------------------------------------------------------------------------------- 1 | CC0 1.0 Universal 2 | 3 | Statement of Purpose 4 | 5 | The laws of most jurisdictions throughout the world automatically confer 6 | exclusive Copyright and Related Rights (defined below) upon the creator and 7 | subsequent owner(s) (each and all, an "owner") of an original work of 8 | authorship and/or a database (each, a "Work"). 9 | 10 | Certain owners wish to permanently relinquish those rights to a Work for the 11 | purpose of contributing to a commons of creative, cultural and scientific 12 | works ("Commons") that the public can reliably and without fear of later 13 | claims of infringement build upon, modify, incorporate in other works, reuse 14 | and redistribute as freely as possible in any form whatsoever and for any 15 | purposes, including without limitation commercial purposes. These owners may 16 | contribute to the Commons to promote the ideal of a free culture and the 17 | further production of creative, cultural and scientific works, or to gain 18 | reputation or greater distribution for their Work in part through the use and 19 | efforts of others. 20 | 21 | For these and/or other purposes and motivations, and without any expectation 22 | of additional consideration or compensation, the person associating CC0 with a 23 | Work (the "Affirmer"), to the extent that he or she is an owner of Copyright 24 | and Related Rights in the Work, voluntarily elects to apply CC0 to the Work 25 | and publicly distribute the Work under its terms, with knowledge of his or her 26 | Copyright and Related Rights in the Work and the meaning and intended legal 27 | effect of CC0 on those rights. 28 | 29 | 1. Copyright and Related Rights. A Work made available under CC0 may be 30 | protected by copyright and related or neighboring rights ("Copyright and 31 | Related Rights"). Copyright and Related Rights include, but are not limited 32 | to, the following: 33 | 34 | i. the right to reproduce, adapt, distribute, perform, display, communicate, 35 | and translate a Work; 36 | 37 | ii. moral rights retained by the original author(s) and/or performer(s); 38 | 39 | iii. publicity and privacy rights pertaining to a person's image or likeness 40 | depicted in a Work; 41 | 42 | iv. rights protecting against unfair competition in regards to a Work, 43 | subject to the limitations in paragraph 4(a), below; 44 | 45 | v. rights protecting the extraction, dissemination, use and reuse of data in 46 | a Work; 47 | 48 | vi. database rights (such as those arising under Directive 96/9/EC of the 49 | European Parliament and of the Council of 11 March 1996 on the legal 50 | protection of databases, and under any national implementation thereof, 51 | including any amended or successor version of such directive); and 52 | 53 | vii. other similar, equivalent or corresponding rights throughout the world 54 | based on applicable law or treaty, and any national implementations thereof. 55 | 56 | 2. Waiver. To the greatest extent permitted by, but not in contravention of, 57 | applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and 58 | unconditionally waives, abandons, and surrenders all of Affirmer's Copyright 59 | and Related Rights and associated claims and causes of action, whether now 60 | known or unknown (including existing as well as future claims and causes of 61 | action), in the Work (i) in all territories worldwide, (ii) for the maximum 62 | duration provided by applicable law or treaty (including future time 63 | extensions), (iii) in any current or future medium and for any number of 64 | copies, and (iv) for any purpose whatsoever, including without limitation 65 | commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes 66 | the Waiver for the benefit of each member of the public at large and to the 67 | detriment of Affirmer's heirs and successors, fully intending that such Waiver 68 | shall not be subject to revocation, rescission, cancellation, termination, or 69 | any other legal or equitable action to disrupt the quiet enjoyment of the Work 70 | by the public as contemplated by Affirmer's express Statement of Purpose. 71 | 72 | 3. Public License Fallback. Should any part of the Waiver for any reason be 73 | judged legally invalid or ineffective under applicable law, then the Waiver 74 | shall be preserved to the maximum extent permitted taking into account 75 | Affirmer's express Statement of Purpose. In addition, to the extent the Waiver 76 | is so judged Affirmer hereby grants to each affected person a royalty-free, 77 | non transferable, non sublicensable, non exclusive, irrevocable and 78 | unconditional license to exercise Affirmer's Copyright and Related Rights in 79 | the Work (i) in all territories worldwide, (ii) for the maximum duration 80 | provided by applicable law or treaty (including future time extensions), (iii) 81 | in any current or future medium and for any number of copies, and (iv) for any 82 | purpose whatsoever, including without limitation commercial, advertising or 83 | promotional purposes (the "License"). The License shall be deemed effective as 84 | of the date CC0 was applied by Affirmer to the Work. Should any part of the 85 | License for any reason be judged legally invalid or ineffective under 86 | applicable law, such partial invalidity or ineffectiveness shall not 87 | invalidate the remainder of the License, and in such case Affirmer hereby 88 | affirms that he or she will not (i) exercise any of his or her remaining 89 | Copyright and Related Rights in the Work or (ii) assert any associated claims 90 | and causes of action with respect to the Work, in either case contrary to 91 | Affirmer's express Statement of Purpose. 92 | 93 | 4. Limitations and Disclaimers. 94 | 95 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 96 | surrendered, licensed or otherwise affected by this document. 97 | 98 | b. Affirmer offers the Work as-is and makes no representations or warranties 99 | of any kind concerning the Work, express, implied, statutory or otherwise, 100 | including without limitation warranties of title, merchantability, fitness 101 | for a particular purpose, non infringement, or the absence of latent or 102 | other defects, accuracy, or the present or absence of errors, whether or not 103 | discoverable, all to the greatest extent permissible under applicable law. 104 | 105 | c. Affirmer disclaims responsibility for clearing rights of other persons 106 | that may apply to the Work or any use thereof, including without limitation 107 | any person's Copyright and Related Rights in the Work. Further, Affirmer 108 | disclaims responsibility for obtaining any necessary consents, permissions 109 | or other rights required for any use of the Work. 110 | 111 | d. Affirmer understands and acknowledges that Creative Commons is not a 112 | party to this document and has no duty or obligation with respect to this 113 | CC0 or use of the Work. 114 | 115 | For more information, please see 116 | 117 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | ## Drupal Website Launch Checklist ## 3 | - Perform load testing & optimization beforehand include slow-log analyses; 4 | - [Percona Toolkit](http://www.percona.com/doc/percona-toolkit/2.2/pt-query-digest.html) for MySQL can help to analyze slow logs; 5 | - Check Drupal SEO Tools report; 6 | - Match recommendations of the following tools: 7 | - [Security Review Module](https://drupal.org/project/security_review); 8 | - [Site Audit module](https://drupal.org/project/site_audit); 9 | - Acquia Insight; 10 | - YSlow; 11 | - Install and configure [Security Kit module](https://www.drupal.org/project/seckit). 12 | - Install [Username Enumeration Prevention module](https://www.drupal.org/project/username_enumeration_prevention). Also it's suggested to apply patches to it. 13 | - Install and configure [Secure Pages](https://www.drupal.org/project/securepages) module. 14 | - Run Performance and Scalability Checklist module; 15 | - Analyze Coder Review results; 16 | - Perform load testing using tools with cleared database cache, memcache and image styles when caches are disabled; 17 | - Make sure you always have a failover scenario and a quick backup; 18 | - Check your Maintenance message is appropriate (admin/config/development/maintenance) 19 | - Configure Cron jobs; 20 | - Disable all development modules(Devel, Views UI, Field UI etc). For quick enable/disable of dev modules and you have admin menu module installed, then configure it here /admin/config/administration/admin_menu under the "Performance" tab; 21 | - Add console.log stub; 22 | - Configure caches and reverse-proxies properly: APC, Varnish, Memcache, Akamai; 23 | - Make sure that AJAX requests are cached properly; 24 | - Enable bandwidth optimization; 25 | - Compress cached pages; 26 | - Aggregate and compress JS/CSS files; 27 | - Use [Advanced CSS/JS Aggregation](https://drupal.org/project/advagg) module instead of core aggregation; 28 | - Test simultaneous an consequent anonymous access scenarios and behavior when every cache is enabled; 29 | - Replace database logging functionality with other solutions, e.g. syslog; 30 | - Disable any errors output on frontend; 31 | - Enable fast_404 in settings.php file or use [Fast 404](https://drupal.org/project/fast_404) module; 32 | - [Make sure file permissions for file directories and code directory are set correctly](http://drupal.org/node/244924); 33 | - Make sure that input formats are correctly configured; 34 | - On /admin/config/system/site-information make sure the email address and name are correct; 35 | - Ensure website permissions are set appropriately and minimally; 36 | - If using SSL, change your local /etc/hosts to point the site to its live domain and ensure SSL redirection is working correctly; 37 | - Remove test content, such as "lorum ipsum" text, dummy users, or content generated by the Devel module; 38 | - Check the maximum file upload sizes and maximum execution time; 39 | - If you don't use core Search module, make sure it's disabled; 40 | - If you use any replacements for standard Cron, make sure it's disabled; 41 | - Warm caches before launch: 42 | - Use [Cache Warmer module](https://drupal.org/project/cache_warmer); 43 | - Use [HTTPRL Spider module](https://drupal.org/project/httprl_spider); 44 | - If possible, perform launch component-by-component and one-by-one; 45 | - Make sure your admin account has a strong password and it's changed before launch; 46 | - Enable caching for Views output, Panels panes output and blocks. Useful modules are the following: 47 | - [Views Content Cache](https://drupal.org/project/views_content_cache). 48 | 49 | ## Gotchas ## 50 | - If you maintain a very large number of files on your website, it can have a substantial negative effect on performance and stability, especially if they are all contained in the same directory. If your site requires a large number of files, maintain them in multiple directories; 51 | - Using standard Views pager might cause performance issues because of additional COUNT query. Use [Views Litepager](https://drupal.org/project/views_litepager) instead. 52 | - Some conditions prevent the use of an in-memory temporary table, in which case the server uses an on-disk table instead: 53 | - Presence of a BLOB or TEXT column in the table; 54 | - Presence of any string column in a GROUP BY or DISTINCT clause larger than 512 bytes; 55 | - Presence of any string column with a maximum length larger than 512 (bytes for binary strings, characters for nonbinary strings) in the SELECTlist, if UNION or UNION ALL is used. 56 | 57 | 58 | ## Hiding traits of Drupal ## 59 | To secure your a website from automated attacks it always better to hide the CMS: 60 | - By removing CHANGELOG.txt file; 61 | - By removing GENERATOR meta-tag (e.g. using https://www.drupal.org/project/remove_generator module); 62 | - By hiding PHP fatal errors (e.g. using https://www.drupal.org/project/hide_php_fatal_error module); 63 | - By renaming admin paths (e.g. using https://www.drupal.org/project/rename_admin_paths module); 64 | - By modifying the template of robots.txt file; 65 | - By disallowing viewing of txt files in the core folder; 66 | - By modifying Drupal default Expires header; 67 | - By renaming default Drupal strings (e.g. using String Overrides module); 68 | - By renaming default classes in Drupal theme; 69 | - By changing default upload paths; 70 | - By creation of custom 403/404 pages; (e.g. https://www.drupal.org/project/search404); 71 | - By removing, renaming and/or updating update.php file; 72 | - By removing, renaming and/or updating cron.php file; 73 | - By updating default images, e.g. throbber. 74 | 75 | ## Handling [PSA-2014-003](https://www.drupal.org/PSA-2014-003) (Drupalgeddon) ## 76 | 1. Immediately upgrade to Drupal 7.32, of it’s not possible at least patch the vulnerable function in /includes/database/database.inc file; 77 | 2. Check files integrity using Git status or if not possible using Hacked; 78 | 3. If possible, redeploy the latest version of the code base; 79 | 4. Scan public / private files locations for *.php, *.sh and any other suspicious files. There are some strategies to improve this procedure: for instance, if only images uploads are allowed, then we scan scan for any files other than images; 80 | 5. If the webserver setup is permissive in terms of permissions and users (e.g. Apache user can write anywhere), it will be additionally required to perform audit of the entire server; 81 | 6. Install, Security review, Drupalgeddon, Site Audit contributed modules and execute these modules checks; 82 | 7. If the pages are built using Features module and if allowed, then revert all the features to their original state; 83 | 8. Rebuild the menu executing core ‘menu_rebuild()’ function; 84 | 9. Review the `variable` table to find any suspicious values. On some installations it might be possible to truncate the table entirely, if Features module is used and if default values of variables are acceptable. 85 | 10. Check the database for new MySQL users, update MySQL passwords and regenerate passwords/tokens for any systems, which are integrated; 86 | 11. Check users’ roles to find if there is a user which have ‘admin’ role; 87 | 12. Check `menu_router` and `users` tables for suspicious entries, e.g. with ‘file_put_contents’ callbacks; 88 | 13. Dump the entire website HTML, e.g. using some crawler, and grep for additional parameters in links; 89 | 14. If possible analyze sessions table for logins of admin/advanced users from external IP addresses and check their last login dates. 90 | 15. Analyze Apache Logs for POST keys with strings 'UPDATE', 'INSERT', 'DELETE', ‘?q=node&destination=node’; 91 | 16. Check places in Panels, Blocks, Views where custom PHP snippets might be used, e.g. in custom access rules. 92 | 17. Set another Drupal hash salt in settings.file for passwords generation, reset passwords of all the users and send them new; 93 | 18. Check the database for new MySQL users, update MySQL passwords and regenerate passwords/tokens for any systems, which are integrated; 94 | 19. Set another Drupal hash salt in settings.file for passwords generation, reset passwords of all the users and send them new. 95 | 20. PSA-2014-003 attacked your server files to send out spam emails for example, so if possible re-create your server files --------------------------------------------------------------------------------