Drupal is a popular open-source content management system that powers over 1,000,000 worldwide including BBC Store. FOX, Al Jazeera, Lady Gaga, Bruno Mars, Cisco, the NBA and the like. However, because of its popularity and wide use, hackers are always looking for vulnerabilities and therefore, Drupal security is crucial.
In this article, I’ll put forth Drupal Security Best Practices with modules for this CMS.
1) Make sure your login is secure: Let’s start with the very first step. Login – the entry to your Drupal site and the first line of defense against hackers. So how do you secure your drupal login? This is when the drupal modules come to help. You can download and install them to get the login more secure.
The Drupal Security Modules you can download: Login Security, Flood Control, Password Policy
Login Security – This Drupal module secures the login by restricting multiple failed login attempts. Other benefits that the modules allows for are:
- Permanently or temporarily blocking an IP address
- Allows you to set notifications in case of bruteforce
- Replaces the Drupal’s core login messages to avoid showing the reason for not authenticating the user – this makes it harder for the hacker to even guess if the account exists.
Get the module here: http://drupal.org/project/login_security
Flood Control – pretty much offers the same. Get the module here: https://www.drupal.org/project/flood_control
Password Policy – This module allows you to:
- Set constraints for password creations including special characters, capital letter, password length, etc.
- Prevent reuse of old passwords
- Set expiry time for passwords
Get the module here: https://www.drupal.org/project/password_policy
2) Tighten security across your pages: You want to make sure you safeguard against attacks throughout your site.
The Drupal Security Modules you can download: Paranoia
Drupal’s Paranoia module auto detects places in your application that allow users to evaluate PHP and blocks it, potentially blocking an attack through PHP codes to gain access to Drupal sites. This prevents a hacker from gaining elevated permission on your website. However, this shouldn’t be used in production.
The features of this module include permission to disable:
- Granting of the “use PHP for block visibility” permission
- Creation of input formats that use the PHP filter
- Editing the user #1 account
- Granting risky permissions
Get the module here: https://www.drupal.org/project/paranoia
3) Use HTTPS to secure your links: Traffic transmitted over http:// can be tracked, hacked and recorded by anyone. You want to make sure you secure your Drupal site against such breaches to protect valuable information like credit card details, transaction IDs, etc.
The Drupal Security Module you can download: Secure Kit
Secure Kit – XFS (cross frame scripting) is a Drupal module to help you secure even your HTTPS links.
This module adds security against various security threats to HTTPs from cross-site request forgery attacks in application.
- It works on Safari, Google Chrome
- It prevents content upsniffing
- Adds X-Frame Options HTTP response to prevent clickjacking
- Helps implement HTTPs
- Helps implement Content Security Policy
Get the module here: https://www.drupal.org/project/seckit
4) Conduct regular site wide audits: Because Drupal allows for much to be done through configuration (which is a plus point), it also is a drawback as it exposes the website to vulnerabilities through configurations.
A good practice is to regularly run audit checks on your site’s configuration and permission screens.
The Drupal Security Module you can download: Security Review
Security Review – Security Review is fantastic for testing security issues on your Drupal sites. The module is easy to use. It shouldn’t be used in production, though. It can check these things:
- Test for system permissions to prevent arbitrary code execution
- Protection against XSS
- Provides safe error reporting
- Secures private files
- Allows installation for extensions marked as “safe”
- Checks for database errors and failed login attempts
- Protects against brute forcing of password
- Protects against phishing
- Checks user access control
Get the module here: https://www.drupal.org/project/security_review
Doing a regular check of your code is also important to keep your site secure. A flaw in your code could expose your site to security breaches.
5) 2 Factor Authentication is a good bet: We, at ResellerClub have a 2 Factor Authentication login. While a login without this step involves authenticating your identity with just your username and password (which can be easily compromised), a two-factor, as the name suggests, prompts you to submit an additional verification such as a verification code sent to your mobile number etc.
The Drupal Modules you can download: Two Factor Authentication
- It functions with unlimited no. of third parties
- It provides flood control
- It has been tested more than hundred times
Get the module here: https://www.drupal.org/project/tfa
We’d love to hear how would you use these drupal security modules to secure your/clients’ Drupal websites. Stay tuned for more on how to secure WordPress sites.