How to Secure Your Drupal Website at the Server Level: A Practical Guide

Alex Lyzo, an Acquia-certified specialist and Team Lead at Attico, outlines a comprehensive, real-world checklist for securing Drupal sites at the server level. He stresses that even perfectly maintained Drupal code can be undermined by misconfigured infrastructure. The piece targets developers and site owners, offering tactical steps like enforcing HTTPS, disabling directory listings, and setting up web application firewalls.

Lyzo advocates for proactive server hardening, including PHP execution restrictions, strict file upload controls, and implementing Fail2ban. He recommends separating environments and using minimal container images to reduce attack surfaces. Practical advice includes using NGINX with PHP-FPM, automating backups, and applying secure HTTP headers at the server level.

While the list is extensive, it's not Drupal-specific beyond context—much of the advice applies to any modern CMS. The article is actionable and detailed, but lacks prioritization, which may overwhelm less technical readers. Still, it's a useful guide for those seeking to harden their Drupal hosting environment from the ground up.