Here are several tips to keep Drupal based website secure.
- Back up your files and database
- Keep core files and modules up to date. Regularly check check for updates
- Add extra security modules like: Secure Login, Paranoia, Captcha, Two-factor Authentication, Content Access, Security Kit
- Uninstall and delete unused modules
- Review user roles and there access
- Block access to sensitive data
- Check files and folders permissions: .htaccess- 444, /sites/default (directory) - 555, /sites/default/settings.php - 400, /sites/default/files (directories) - 775, /sites/default/files (files) - 664
- Restrict site visitors from creation there own accounts
- Disable testing module -
- Unable HTTPS and enforce only secure connection
- Get wildcard SSL certificate and enable HSTS preloading
- Use CDN (content delivery network)
- Protect your server and hide server signature
Follow these steps and your site will A+ security level.