with Recommended Security Modules
Insight for: Developers
Essential Drupal Security Models with Best Practices to Keep Your Site Secure from Potential Threats
Website security is not a set-it-and-forget-it task, but an ongoing process that needs constant attention. After all, it’s better to prevent a disaster than to respond to one. Fortunately, having a Drupal website provides some assurance as the Drupal security team will resolve reported security issues promptly and efficiently.
Examining Drupal’s vulnerability statistics by CVE Details can provide useful insights.
To further bolster Drupal’s web security, make sure to explore various security modules from categories such as Security, User Access & Authentication, and Spam Prevention. However, before installing a module, it’s also essential to check its level of activity and purpose.
Reported installations: 27,117
Function: This module helps site administrators add restrictions to the login flows in a Drupal site. For instance, one can limit the number of invalid authentication attempts before blocking an account, deny access from specific IPs, and so on. It also notifies you over email or through Nagios notifications if the login form is under attack with brute force methods or username/password guessing attempts.
Download: https://www.drupal.org/project/login_security
Reported installations: 9,111
Function: This module allows site administrators to define two-factor auth strategies for authentication. It offers a range of mechanisms — time-based one-time passwords/PINs, codes delivered over text messages, pre-generated codes, and more.
Download: https://www.drupal.org/project/tfa
Reported installations: 41,750
Function: This module enables site administrators to define a policy that automatically logs out users after a specified inactive period. Timeouts can be customized by role, as well as integration with JavaScript-based timers.
Download: https://www.drupal.org/project/autologout
Reported installations: 56,613
Function: This module allows site administrators to define rules and constraints for setting account passwords. For example, a rule can be set to require all passwords to include at least one uppercase letter, one number, and one special symbol.
Download: https://www.drupal.org/project/password_policy
Reported installations: 58,819
Function: This module provides various options to help mitigate exploitative risks from different vulnerabilities. It can help set up HTTP headers to prevent cross-site scripting and forgery, clickjacking, and more.
Download: https://www.drupal.org/project/seckit
Reported installations: 24,812
Function: This module automates a lot of tests that help you determine if your site is vulnerable to different traditional attack vectors. It runs tests to check for XSS exploits, the presence of PHP or JavaScript in content nodes, as well as the possibility of arbitrary PHP execution and SQL injection attacks.
Download: https://www.drupal.org/project/security_review
Reported installations: 287,764
Function: Captcha is one of the best methods with which to secure submission forms of any kind from spambots. This module helps Drupal site administrators to include Captcha support with any kind of form.
Download: https://www.drupal.org/project/captcha
Reported installs: 53,595
Function: The module works completely behind the scenes and doesn’t require any interaction from end-users (no annoying CAPTCHAs!). It replaces the form action until the user moves the cursor
Download: https://www.drupal.org/project/antibot
We were contacted by a client who had a Drupal 7 website. The website had not been updated since 2021. After analyzing the site we discovered that 10% of the modules needed to be updated along with the core.
Attico International realized that if the site was not updated it could lead to a decrease in site performance and user experience, as well as a potential security issue. Additionally, the Yandex.Metrics Reports module had stopped working with the new Yandex.Metrics API due to the outdated modules, which caused the customer to miss out on important statistics.
To address these issues, Attico International checked compatibility and updated the core version from 7.66 to 7.96 along with several modules including webform, l10n_update, jquery_update, field_slideshow, colorbox, ckeditor, and yandex_metrics. This resulted in increased site performance, improved site security, and a more convenient and up-to-date module interface.
The Drupal 7 core upgrade process involved extracting everything from the archive except the sites folder, .htaccess, and robots.txt files. Attico International then went to site/update.php and clicked continue on all steps until a message appeared that everything was updated. After checking the local site for functionality, the changes were committed and pushed to the repository. Then, the team connected to the dev/prod via SSH, pulled the changes, and updated the database by running the ‘drush updb’ command.
The module upgrade process was similar to the core upgrade, where an archive with a new version of the required module was downloaded from the site and checked for compatibility before replacing files.
Website security is a crucial aspect that requires instant attention to ensure a secure and smooth online experience for your visitors. Drupal, being a secure platform, is not exempt from potential threats, but it offers various security modules to help prevent and mitigate risks. Tips, such as module installation, website scanning, and tailoring user permissions, help you enhance the security of your Drupal website. We also recommend keeping Drupal core and modules up to date, using strong passwords, installing an SSL certificate, and making frequent backups of your website.
Protect your business and your customers’ data by taking proactive steps to secure your website. Contact us now to learn more about how we can help enhance your Drupal website’s security
