Drupal is a popular open-source content management system that powers over 1,000,000 worldwide including BBC Store. FOX, Al Jazeera, Lady Gaga, Bruno Mars, Cisco, the NBA and the like. However, because of its popularity and wide use, hackers are always looking for vulnerabilities in Drupal and therefore, security is crucial.
In this article, I’ll put forth a few pointers on how to make Drupal websites secure for your clients and the best security modules for this CMS.
1) Make sure your login is secure: Let’s start with the very first step. Login – the entry to your Drupal site and the first line of defense against hackers. So how do you secure your login?
The Drupal Modules you can download: Login Security, Flood Control, Password Policy
Login Security: This Drupal module secures the login by restricting multiple failed login attempts. Other benefits that the modules allows for are:
Get the module here: http://drupal.org/project/login_security
Flood Control pretty much offers the same. Get the module here: https://www.drupal.org/project/flood_control
Password Policy: This module allows you to:
Get the module here: https://www.drupal.org/project/password_policy
2) Stay Updated: Updates are important because they fix the bugs, offer upgrades etc., especially important for scripts and softwares. Regular updates keep your websites secure.
The Drupal Modules you can download: Update Manager
Update Manager is great to help you:
Get the module here: https://www.drupal.org/documentation/modules/update
3) Tighten security across your pages: You want to make sure you safeguard against attacks throughout your site.
The Drupal Modules you can download: Paranoia
Drupal’s Paranoia module auto detects places in your application that allow users to evaluate PHP and blocks it, potentially blocking an attack through PHP codes to gain access to Drupal sites. This prevents a hacker from gaining elevated permission on your website.
The features of this module include permission to disable:
Get the module here: https://www.drupal.org/project/paranoia
4) Use HTTPS to secure your links: Traffic transmitted over http:// can be tracked, hacked and recorded by anyone. You want to make sure you secure your Drupal site against such breaches to protect valuable information like credit card details, transaction IDs, etc.
The Drupal Modules you can download: Secure Pages, Secure Kit
Secure Pages: The Secure Pages module extends a security layer to protect certain web pages. It prevents hijack sessions for accessing SSL pages. This is especially important for e-commerce sites with payment gateways and online transactions.
Get the module here: https://www.drupal.org/project/securepages_prevent_hijack
Secure Kit: XFS (cross frame scripting) is a Drupal module to help you secure even your HTTPS links.
This module adds security against various security threats to HTTPs from cross-site request forgery attacks in application.
Get the module here: https://www.drupal.org/project/seckit
5) Conduct regular site wide audits: Because Drupal allows for much to be done through configuration (which is a plus point), it also is a drawback as it exposes the website to vulnerabilities through configurations.
A good practice is to regularly run audit checks on your site’s configuration and permission screens.
The Drupal Modules you can download: Security Review, Coder
Security Review: Security Review is fantastic for testing security issues on your Drupal sites. The module is easy to use. It can check these things:
Get the module here: https://www.drupal.org/project/security_review
Doing a regular check of your code is also important to keep your site secure. A flaw in your code could expose your site to security breaches.
Coder Module is fantastic to help you find flaws in SQL injections.
Get the module here: https://drupal.org/project/coder
6) 2 Factor Authentication is a good bet: We, at ResellerClub have a 2 Factor Authentication login. While a login without this step involves authenticating your identity with just your username and password (which can be easily compromised), a two-factor, as the name suggests, prompts you to submit an additional verification such as a verification code sent to your mobile number etc.
The Drupal Modules you can download: Two Factor Authentication
Get the module here: https://www.drupal.org/project/tfa
We’d love to hear how you use these modules to secure your clients’ Drupal sites. Stay tuned for more on how to secure WordPress sites.