Topics

All content by categories

Security

Story

A Quick Tip To Make Your Drupal Website More Secure: Turn Off PHP Filter in Posts

Just turn PHP Filter off. There's a reason why it's in a separate module turned off by default.

Now, why is it even there in the first place?

Drupal security: turn off PHP filter

One probable reason is that it can be useful for Drupal development. I seem to recall that in the dark times before the Views module came along, Drupal administrators and developers used various PHP snippets to run MySQL queries - for example, to show the list of 10 nodes tagged with a specific term on a page. You can still see a bunch of those snippets on Drupal.org handbook.However, this is not a secure practice. Even if you allow PHP filter to be used only trusted roles, if a malicious hacker takes over that role, it would have been much easier for them to cause a lot of damage to your site.