Drupal is the popular open-source content management system written in PHP. Although it only powers around 2.5% websites on the web, but it is still important. Many developers use Drupal for their websites. It gets regular security and version updates to add more security and features in this popular CMS. It also has a wide community of developers who contribute on modules and themes. This is why one can easily get free themes and modules to use in the Drupal based website for free. Drupal was developed by considering security and it also gets regular updates to fix known security issues. However, hackers always try to find vulnerabilities in Drupal, its themes or modules to hack into Drupal based websites. It is also a prime target of hackers. Therefore, users who want to use Drupal for their websites must follow security practices to make their website secure. In this article, I will try to cover how to make a Drupal based website secure. I will also add the best security modules available for Drupal.
Like other content management systems, Drupal also offers timely security updates. But there is the possibility of 0-day vulnerabilities and vulnerabilities in modules and themes. Researchers also found that contributed modules are themes have more chances of risk. Most of the times, if there is any big vulnerability, it is due to the contributed module or theme. Core Drupal seems to have less chance of risk. However, it is not possible to use the contributed modules in a project. This is the reason, users must be aware of the security. They must follow the best security practices. Securing a Drupal based website is also very similar to what we do with other kind of websites. Only you have to figure out how to do these security practices things in Drupal.
In this post, I am adding the best security modules available for Drupal. You can install these modules to enhance security of your Drupal based website.
Ethical Hacking Training – Resources (InfoSec)
This is a good Drupal module that lets you secure the login forms. It offers limit failed login attempt. You can set this limit and block an IP temporary or permanent. You can also configure it to send you a notification if someone tries to bruteforce the login page of your Drupal based website.
This module can also replace the Drupal core’s login messages to avoid showing the reason for not authenticating the user. This can make it harder for attacker to guess if the account actually exists.
Download this Module here: http://drupal.org/project/login_security
Password Policy module sets the policy for passwords. You can set the constraints to check while password creation. You can set password length, capital letter, special character, numbers, and other things to use in the password. This module can also prevent the reuse of passwords. You can also set password expiry time in this module. These things can be set either for all users or only for a specific role.
Download this module here: https://www.drupal.org/project/password_policy
Update is very important for any software and script. Every new update fixes the bugs of older version. Drupal also pushes the new updates with security bug fixes and other fixes. Therefore, you must keep the modules and Drupal core updated. Update Manager is a nice module which keep track on the latest updates of Drupal, theme and modules installed in your Drupal based website. You can check the log to see if the update is available for any theme, module of Drupal core. If you do not want to go and check manually, you can set it to notify you once the update is available for any theme, module of Drupal core itself. This is an important module, because update is the most important thing you must follow to keep your website secure. I recommend this module as a must-have in your website that is based on Drupal.
Download this module here: https://www.drupal.org/documentation/modules/update
Captcha is a challenge to check if the visitor is Human or automated script. It is a basic security method to prevent SPAM bots away from your website. It blocks form submissions from automated spambots. It can protect your contact form and signup forms to flood your website’s database of mail server.
Download this module here: https://www.drupal.org/project/captcha
Strong password can also be cracked by Bruteforcing. This method of password cracking is being used for attackers for past few years. So, there must be the security against this. Similar to previous module, it also adds protection against Flood Control. It lets you limit failed login by IP, limit failed login by username and also limit sending emails. Flood control can also prevent against small DOS attacks. So, you must install this to protect your users from flooding attacks.
Download this module here: https://www.drupal.org/project/flood_control
Secure Pages Hijack Prevention
This is another good Drupal module that adds an extra layer of security to secure pages. It prevents hijack sessions from accessing SSL pages. This module is recommended for most secure pages of the website. It still allows access to non-SSL pages with hijacked sessions.
Download this module here: https://www.drupal.org/project/securepages_prevent_hijack
XFS (cross frame scripting)
This is very important security module for Drupal. It adds security against various security threats. It handles origin HTTP request header to prevent cross-site request forgery attack in application. It also takes control over Internet Explorer, Safari or Google Chrome’s internal XSS filter via X-XSS-Protection HTTP response header. It also prevents content upsniffing. It also adds X-Frame-Options HTTP response header to prevent clickjacking in the application. It also helps in implementing HTTPS to prevent eavesdropping and man-in-the-middle attacks. It also helps in implementing Content Security Policy.
I am sure; you can understand the importance of this module. So, install this module for sure to protect your application from all these vulnerabilities.
Install this module here: https://www.drupal.org/project/seckit
Idle Session Timeout
Idle Session Timeout is also an important security module for Drupal. It lets you set session timeouts. You can also set different session timeout time based on user roles. You can also set it to ask users for setting their own session timeout. Automatic session timeout helps in account security.
Download this module here: https://www.drupal.org/project/autologout
By default, session is created in each browsers user uses to log in. Concurrent Sessions module takes care of concurrent sessions. It lets you to allow only one session of a user. So, you can set it to logout previous session if user starts a new one or ask user to logout previous one to start a new session. It will add an extra layer of security in user accounts. You can also set the maximum number of concurrent sessions. Therefore, user can open that number of concurrent sessions. You can also set this by user role. It means different user roles will have different policy for this.
If you think that there is no need to allow concurrent sessions in your website, you can use this. Few websites allow concurrent session. However, it totally depends on your personal choice and need of your application.
Download this module: https://www.drupal.org/project/session_limit
ACL or Access Control Lists offers API for other modules to create list of users and their roles. It has no UI, but has just APIs, which other modules can use to provide role-based services. Install this module only if you are going to use a module that requires you to install ACL first for working.
Download this module: https://www.drupal.org/project/acl
This module lets you define the permissions for content types by users and roles. You can set permissions for view, edit, or delete on specific content by specific user or user role. It comes with default settings. So, you can use it just by modifying the existing settings. It is flexible, so you can modify it in a way you want. It uses ACL API to work. SO, install ACL module before installing this module.
Install this module: https://www.drupal.org/project/content_access
Two-factor Authentication (TFA)
As the name suggests Two-factor Authentication lets you enable two factor authentications in your Drupal website. Therefore, it adds an extra layer of security in the login of your Drupal website. This module asks users to enter the mobile number at the time of account creation. It then sends a verification code each time user tries to login. Soon after entering username and password, user will receive a one-time password in mobile phone. If user successfully enters the OTP in second login screen, access is granted to the user. Otherwise, he will not be allowed to enter in the website. It protects user account even if the password of the user is stolen. Attacker will have the password but he will fail in entering the one time code sent to the mobile phone. So, it makes the account much secure than the regular password security.
It comes with integration with few SMS providers to easy to use of this two-factor authentication security. Most of the companies have now switched to this new SMS based login security. Therefore, you can also consider adding this security in your website.
Download this module here: https://www.drupal.org/project/tfa
The Paranoia module automatically detects all the places in your application that allow users to evaluate PHP and then blocks it. In this way, it blocks the potential attack by an attacker who can evaluate PHP code to gain access in Drupal website. After installation, be sure to visit and check all previous grants.
Download this module here: https://www.drupal.org/project/paranoia
Coder modules check the Drupal code against the standards and can fix coding standard violations for you. It can help you to find SQL injection vulnerability in the code and careful review of your hook_menu(). It can also review the use of user_access() and help you in finding access bypass problems.
Download this module here: https://www.drupal.org/project/coder
Security Review is a great module for Drupal websites. it performs automated testing for various security issues. Use of the module is very easy. Just install, enable, and hit the button “Run Checklist” to see the results. It can check these things:
- Test for system permissions to prevent arbitrary code execution
- Protection against XSS by disallowing tags in input
- Safe error reporting
- Secure private files
- Allow installation of only safe extensions
- Check for DB errors and failed login attempts
- Protect against brute forcing of password
- Protection against phishing
- Check user access control
Download this module: https://www.drupal.org/project/security_review
Install this module here: https://www.drupal.org/project/spamspan
These are few security extensions for Drupal content management system. As I already said that core Drupal is secure but customizations by installation third party themes and modules makes it vulnerable. So, it is very important to have a proper penetration testing of website to check what kind of security vulnerabilities are in the application and the process of patching those vulnerabilities. I collected most of the important security modules available for Drupal. It is not necessary to install all in your website. Just identify what module is necessary for your application and then install it in your Drupal website. Installing too many modules can make your website slow. So, install only those that are required. XFS and Security review are very important because these are related to serious security issues. Now it is up to you, you know the modules that are necessary for security of your Drupal website. So, install and check your website again. Never rely on just installation of modules. After installing module, you also need to perform a full testing of your website again to see if there is any other issue in your website. Without proper testing, never rely on modules too.
References for further reading