Drupal default settings, security, and spam

Drupal default settings, security, and spam: I've created several new websites with Drupal lately (One Man's Alaska, Tequila/Monk, and Legend of the Squirrel), and while I really like a lot of things about it, you also have to be careful with Drupal's default settings, in particular the default "social" settings, which lead to a few security problems.

I've run into several "security" issues lately, all of which have caused one problem or another:

  • Unvalidated trackbacks are initially allowed
  • User accounts are initially allowed
  • Comments are allowed

The default trackback setting caused the worst problem so far. I just fixed a problem yesterday where I had 1,000-plus bogus spam trackbacks (all related to drugs of various sorts) on one of my sites before I realized that "unvalidated trackbacks" was the default setting. IMHO, that setting should never be used on the public internet.

User accounts are also allowed by default, so one day I looked at my Drupal admin section, and found 20+ new user accounts -- and I didn't want any public accounts(!).

Don't get me wrong, I really like social websites, but you have to be really careful from a security and spam perspective with what you enable. I strongly recommend having a "Drupal installation checklist" that you can review whenever you go live with a new Drupal site.