Comment: Info

(See in situ)


Take this as just some friendly info.

Drupal's core is indeed very secure, however the third-party modules are not. The core goes through intensive community testing and to my knowledge, has never been compromised. However, the third-party modules are a whole 'nother story. As you know very well, the DP is often flagged as containing malicious code by Google. The reason, while innocent, is the site's heavy use of third-party modules. It's these modules which cause you trouble. I know the backstory and that it's ad providers, but the concept remains... modules can be trouble. I don't know of a good solution because even if Jon rolled new modules himself, they'd still have issues. He's only one person.

Also, see my above comment about SSL encryption. Because this site does not utilize SSL with a third-party certificate, all communications to and from your web server are HIGHLY insecure. This means, when you login, your user/pass is transmitted in an insecure fashion. I do not know how Drupal encodes the text, but usually non-encrypted traffic is hashed or in plain-text. A packet sniffer or NSA "prism" could very easily gain access to not only my account, but yours or Jon's. In fact, if we use the same password on DP as (insert web service here) then you can assume that any account is compromised that uses that password. The first thing hackers will try are your known passwords... because people use the same password for everything generally.

I'm sure you don't need my help to remedy the SSL cert but I will if you do. Again, I don't know what you can do about the third-party modules except to only use very reputable modules.