• How to Secure Your Client’s Drupal Website
  • Drupal is a popular open-source content management system that powers over 1,000,000 worldwide including BBC Store. FOX, Al Jazeera, Lady Gaga, Bruno Mars, Cisco, the NBA and the like. However, because of its popularity and wide use, hackers are always looking for vulnerabilities in Drupal and therefore, security is crucial.


    In this article, I’ll put forth a few pointers on how to make Drupal websites secure for your clients and the best security modules for this CMS.


    1) Make sure your login is secure: Let’s start with the very first step. Login – the entry to your Drupal site and the first line of defense against hackers. So how do you secure your login?


    The Drupal Modules you can download: Login Security, Flood Control, Password Policy


    Login SecurityThis Drupal module secures the login by restricting multiple failed login attempts. Other benefits that the modules allows for are:


    • Permanently or temporarily blocking an IP address

    • Allows you to set notifications in case of bruteforce

    • Replaces the Drupal’s core login messages to avoid showing the reason for not authenticating the user – this makes it harder for the hacker to even guess if the account exists.

    Get the module here: http://drupal.org/project/login_security


    Flood Control pretty much offers the same. Get the module here: https://www.drupal.org/project/flood_control


    Password Policy: This module allows you to:


    • Set constraints for password creations including special characters, capital letter, password length, etc.

    • Prevent reuse of old passwords

    • Set expiry time for passwords

    Get the module here: https://www.drupal.org/project/password_policy


    2) Stay Updated: Updates are important because they fix the bugs, offer upgrades etc., especially important for scripts and softwares. Regular updates keep your websites secure.


    The Drupal Modules you can download: Update Manager


    Update Manager is great to help you:


    • Keep track of new Drupal updates, themes and modules

    • Check logs for updates

    Get the module here: https://www.drupal.org/documentation/modules/update


    3) Tighten security across your pages: You want to make sure you safeguard against attacks throughout your site.


    The Drupal Modules you can download: Paranoia


    Drupal’s Paranoia module auto detects places in your application that allow users to evaluate PHP and blocks it, potentially blocking an attack through PHP codes to gain access to Drupal sites. This prevents a hacker from gaining elevated permission on your website.


    The features of this module include permission to disable:


    • Granting of the “use PHP for block visibility” permission

    • Creation of input formats that use the PHP filter

    • Editing the user #1 account

    • Granting risky permissions

    Get the module here: https://www.drupal.org/project/paranoia


    4) Use HTTPS to secure your links: Traffic transmitted over http:// can be tracked, hacked and recorded by anyone. You want to make sure you secure your Drupal site against such breaches to protect valuable information like credit card details, transaction IDs, etc.


    The Drupal Modules you can download: Secure Pages, Secure Kit


    Secure Pages: The Secure Pages module extends a security layer to protect certain web pages. It prevents hijack sessions for accessing SSL pages. This is especially important for e-commerce sites with payment gateways and online transactions.


    Get the module here: https://www.drupal.org/project/securepages_prevent_hijack


    Secure Kit: XFS (cross frame scripting) is a Drupal module to help you secure even your HTTPS links.


    This module adds security against various security threats to HTTPs from cross-site request forgery attacks in application.


    • It works on Safari, Google Chrome

    • It prevents content upsniffing

    • Adds X-Frame Options HTTP response to prevent clickjacking

    • Helps implement HTTPs

    • Helps implement Content Security Policy

    Get the module here: https://www.drupal.org/project/seckit


    5) Conduct regular site wide audits: Because Drupal allows for much to be done through configuration (which is a plus point), it also is a drawback as it exposes the website to vulnerabilities through configurations.


    A good practice is to regularly run audit checks on your site’s configuration and permission screens.


    The Drupal Modules you can download: Security Review, Coder


    Security ReviewSecurity Review is  fantastic for testing security issues on your Drupal sites. The module is easy to use. It can check these things:


    • Test for system permissions to prevent arbitrary code execution

    • Protection against XSS 

    • Provides safe error reporting

    • Secures private files

    • Allows installation for extensions marked as “safe”

    • Checks for database errors and failed login attempts

    • Protects against brute forcing of password

    • Protects against phishing

    • Checks user access control

    Get the module here: https://www.drupal.org/project/security_review


    Doing a regular check of your code is also important to keep your site secure. A flaw in your code could expose your site to security breaches.


    Coder Module is fantastic to help you find flaws in SQL injections.


    Get the module here: https://drupal.org/project/coder


    6) 2 Factor Authentication is a good bet: We, at ResellerClub have a 2 Factor Authentication login. While a login without this step involves authenticating your identity with just your username and password (which can be easily compromised), a two-factor, as the name suggests, prompts you to submit an additional verification such as a verification code sent to your mobile number etc.


    The Drupal Modules you can download: Two Factor Authentication 


    • It functions with unlimited no. of third parties

    • It provides flood control

    • It has been tested more than hundred times

    Get the module here: https://www.drupal.org/project/tfa


    We’d love to hear how you use these modules to secure your clients’ Drupal sites. Stay tuned for more on how to secure WordPress sites.