10 Steps to Enhance Drupal Security
Drupal is one of the most popular Content Management System (CMS). Like other content management systems, Drupal also offers timely security updates. Core Drupal seems to have very less chance of risk. Most of the times, if there is any serious vulnerability, it is due to the use of contributed modules. However in most cases we can’t avoid the use of contributed modules or themes. So we need to learn how to add more security to our Drupal. In this tutorial we will show you some steps you can follow to enhance Drupal Site Security.
1: Login Security Module
This is one of the most powerful Drupal security module. This module will limit rate of login attempts and block the access. You can set this limit and block an IP temporary or permanent. You can also configure it to send you a notification if someone tries to brute force the login page.
You can download this module from here : https://drupal.org/project/login_security
Steps to Install:
1: Download the module from here : https://drupal.org/project/login_security
2: Extract it to the folder – sites/all/modules/contrib. (It is recommended to place all third-party modules in a subfolder called contrib.)
3: Go to the Module page at Administer > Modules and enable it.
4: Read the module’s documentation for further configuration instructions.
2: Password Policy Module
This module will help you to configure the user password policies.
We can enable password expiry and it’s time period, how complex the password should be, force password changes etc.
You can download the module from : https://www.drupal.org/project/password_policy
3: CAPTCHA Module
You can install and use standard CAPTCHA module to improve security. The purpose of adding a CAPTCHA to your Drupal is to block automated login attempts using scripts.
You can download the module from here : https://www.drupal.org/project/captcha
You can also add Google reCAPTCH module and you can download it from here : https://www.drupal.org/project/recaptcha
4: Security Review Module
This module will do a Security review of your Drupal site and will let you know if you need to make any changes to enhance security. Very useful and we recommend to use this plugin and review the current setup at least once.
Security Review runs the following checks:
- Safe file system permissions (protecting against arbitrary code execution)
- Text formats don’t allow dangerous tags (protecting against XSS)
- Safe error reporting (avoiding information disclosure)
- Secure private files
- Only safe upload extensions
- Large amount of database errors (could be sign of SQLi attempts)
- Large amount of failed logins (could be sign of brute-force attempts)
- Responsible Drupal admin permissions (protecting against access misconfiguration)
- Username as password (protecting against brute-force)
- Password included in user emails (avoiding information disclosure)
- PHP execution (protecting against arbitrary code execution)
- Base URL set / D8 Trusted hosts (protecting against some phishing attempts)
- Views access controlled (protecting against information disclosure)
You can download the module from here : https://www.drupal.org/project/security_review
5: Update Manager Module
This module will monitor and will inform you about the availability of new Drupal software updates, contributed module updates and theme updates. You can set the frequency of update checking and notification options. So after installing this module you won’t miss any updates. As you know updating Drupal and modules/theme to the latest versions is very important and is a matter of security.
You can download this module from here : https://www.drupal.org/documentation/modules/update
6: Duo Two-Factor Authentication Module
Two step verification will give your site an extra layer of security. By enabling this module you can make sure no one but you can access your Drupal panel.
You can download this module from here : https://www.drupal.org/project/duo
7: Paranoia Module
The Paranoia module attempts to identify all the places that a user can evaluate PHP via Drupal’s web interface and then block those. So installing this module will give you an extra security and the hackers won;t be able to get elevated permission on your Drupal site.
It have the following features.
- Disable granting of the “use PHP for block visibility” permission.
- Disable creation of input formats that use the PHP filter.
- Disable editing the user #1 account.
- Prevent granting risky permissions.
- Disable disabling this module. Yes, that’s right you need to go to the database to get rid of it again.
8: File Integrity Check Module
This module will scans the currently installed Drupal, contributed modules and themes and will determines if they have been changed. If any change is detected it will notify the site admin immediately.
This module lets the site maintainer “fingerprint” an entire site (except the files below the
public:// upload directory) when it is in an untainted state. It can then be configured to periodically compare the site to this “fingerprint”, and report the following:
- modified files and directories;
- potential back-doors (files added to the site);
- files removed from the site;
- files writeable by the web-server.
You can download this module from here : https://www.drupal.org/project/file_integrity
9: Always Keep Drupal Core Updated
You can update Drupal core database by visiting “http://yourdomain.com/update.php”. Replace “Yourdomain.com” with your domain name. Make sure to update Drupal. modules and theme periodically and that will give you more features, benefits and security. We already discussed about “Update Manager Module” and that will notify you if a new update is available.
10: Always Keep Backups
If you follow the steps we mentioned above will make your Drupal very secured. But still it’s recommended to take periodic backups of your Drupal site.
You can use the “Backup and Migrate” module to generate compressed entire Drupal backup.
The features of “Backup and Migrate” module is given below.
- Backup/Restore multiple MySQL databases and code
- Backup of files directory is built into this version
- Add a note to backup files
- Smart delete options make it easier to manage backup files
- Backup to FTP/S3/Email or NodeSquirrel.com
- Drush integration
- Multiple backup schedules
- AES encryption for backups
You can download this module from here : https://www.drupal.org/project/backup_migrate
So please follow the 10 steps mentioned above to secure your Drupal. Also, if you find any security issues with Drupal make sure to report it immediately. ( Please read : How to report a security issue with Drupal ) You may also follow the security suggestions mentioned by Drupal here : https://www.drupal.org/security/secure-configuration
If you need any further help please reach our support department.