is on Drupal 8. Or how we secured a Drupal site like a paranoid.

So, I just upgraded my first site to Drupal 8. Yup. It's in production right now, and you are looking at it.

In a couple of posts in the coming weeks I will talk about some experiences that I gained from it. Gotchas, goose-bumps moments, raging at the screen and all the other emotions we developers go through in typical day.

But first a couple of words about the over-all process.

This site in itself is a pretty simple site. It contains a front page, where we also display a somewhat real time statistic of online users. And it has a high scores list. As you probably understand, this requires a custom module, so there was that. Also, we have a simple custom theme, built on the Foundation framework. So there was that.

This allowed me to learn more about making a module in Drupal 8, the guzzle library for making requests, some good ol twig for the theme. I'll cover my findings in separate posts later.

Second, a word about security. Since Drupal 8 is alpha still, who know what kind of bugs and potential security holes you can find in there, right? So I ended up disallowing login through regular channels. Since this particular server is behind varnish, disallowing on the default address was really easy, I just put this in my vcl file:

if ( == "") {
  unset req.http.Cookie;

What this does, is effectively denying all logging in to your site on port 80, since no user ever will get a cookie.

OK. Well that does not stop someone from logging in if they find the apache port, right? So I put this in my virtual host for the domain (in the directory directive):

Order Deny,Allow
Deny from all
Allow from
Allow from x.x.x.x #  my own ip, so I personally can log in to the site.
AllowOverride All

Of course this does not cover all kinds of other tactics that some people might want to try, but at least we are limiting the possibilities to do harm.

Please feel free to give any tips, hints, criticism or just invitations to play multiplayer - in the comments.