I often see questions about how someone can "hide the fact that their site runs Drupal" or "remove the meta Generator header." People often want to do this because they feel it will make their site more secure: if the attacker doesn't know I'm running Drupal then they will have one less piece of data about what attack methods might work. People say that an automated attack script that detects Drupal sites might not find me and therefore might not attack me.
While many Drupal sites and site-builders focus on creating interactive sites where anonymous and authenticated users can interact with the content to varying degrees, there are still some environments and sites where a "static" version makes more sense for most of the public.
The main benefits are:
more confidence that your site cannot be "hacked"
in some cases performance improvement (since Drupal's dynamic features are removed).
There are at least three strategies to achieve this, which can be mixed/matched as appropriate.
I use the term "expert" with some hesitancy. There are simply so many elements to becoming an expert in web application security that it's hard to list them all. However if someone does all these things then they are well on their way to becoming an expert in Drupal security.
When creating complex Drupal sites it is often necessary to create patches to modules or Drupal core. Those patches should be managed locally in an organized fashion and contributed up stream. Once they are contributed to an issue queue on Drupal.org your job is not done: it needs to be committed before you can stop worrying about it.
Among the thousands of modules on drupal.org there are over 100 in the security category. Unfortunately some of those are abandoned or inaccurately tagged. We've looked at every module and compiled this resource to help you understand the security-related community modules available. Not all modules provide security exactly, some are about hardening your site against weaknesses and others are about monitoring and reporting abuses.
When we get a new customer interested in the Drupal Scout Custom Security Review we will ask them for some metrics about their site to help us understand how much work we think it will be to review their site. We general ask: