Sorry, you need to enable JavaScript to visit this website.
logo

Enhancing Drupal Website Security with Recommended Security Modules

By Aliaksandr Kostsikau

Essential Drupal Security Models with Best Practices to Keep Your Site Secure from Potential Threats

Website security is not a set-it-and-forget-it task, but an ongoing process that needs constant attention. After all, it’s better to prevent a disaster than to respond to one. Fortunately, having a Drupal website provides some assurance as the Drupal security team will resolve reported security issues promptly and efficiently.
 

Drupal Security Vulnerabilities

Examining Drupal’s vulnerability statistics by CVE Details can provide useful insights.

vulnerability statistics

Security Modules

To further bolster Drupal’s web security, make sure to explore various security modules from categories such as Security, User Access & Authentication, and Spam Prevention. However, before installing a module, it’s also essential to check its level of activity and purpose.


Authentication Modules

1. Login Security

Reported installations: 27,117
Function: This module helps site administrators add restrictions to the login flows in a Drupal site. For instance, one can limit the number of invalid authentication attempts before blocking an account, deny access from specific IPs, and so on. It also notifies you over email or through Nagios notifications if the login form is under attack with brute force methods or username/password guessing attempts.
Download: https://www.drupal.org/project/login_security

2. Two-factor Authentication

Reported installations: 9,111
Function: This module allows site administrators to define two-factor auth strategies for authentication. It offers a range of mechanisms — time-based one-time passwords/PINs, codes delivered over text messages, pre-generated codes, and more.
Download: https://www.drupal.org/project/tfa 
 

3. Automated Logout

Reported installations: 41,750
Function: This module enables site administrators to define a policy that automatically logs out users after a specified inactive period. Timeouts can be customized by role, as well as integration with JavaScript-based timers.
Download: https://www.drupal.org/project/autologout 
 

Password Security Modules 

1. Password Policy

Reported installations: 56,613
Function: This module allows site administrators to define rules and constraints for setting account passwords. For example, a rule can be set to require all passwords to include at least one uppercase letter, one number, and one special symbol.
Download: https://www.drupal.org/project/password_policy 
 

Security Review Modules

1. Security Kit

Reported installations: 58,819
Function: This module provides various options to help mitigate exploitative risks from different vulnerabilities. It can help set up HTTP headers to prevent cross-site scripting and forgery, clickjacking, and more.
Download: https://www.drupal.org/project/seckit 
 

2. Security Review

Reported installations: 24,812
Function: This module automates a lot of tests that help you determine if your site is vulnerable to different traditional attack vectors. It runs tests to check for XSS exploits, the presence of PHP or JavaScript in content nodes, as well as the possibility of arbitrary PHP execution and SQL injection attacks.
Download: https://www.drupal.org/project/security_review 
 

Spam Prevention Modules

1. Captcha

Reported installations: 287,764
Function: Captcha is one of the best methods with which to secure submission forms of any kind from spambots. This module helps Drupal site administrators to include Captcha support with any kind of form.
Download: https://www.drupal.org/project/captcha 
 

2. Antibot

Reported installs: 53,595
Function: The module works completely behind the scenes and doesn’t require any interaction from end-users (no annoying CAPTCHAs!). It replaces the form action until the user moves the cursor
Download: https://www.drupal.org/project/antibot 
 

Real Project Example

We were contacted by a client who had a Drupal 7 website. The website had not been updated since 2021. After analyzing the site we discovered that 10% of the modules needed to be updated along with the core.

the modules needed to be updated

Attico International realized that if the site was not updated it could lead to a decrease in site performance and user experience, as well as a potential security issue. Additionally, the Yandex.Metrics Reports module had stopped working with the new Yandex.Metrics API due to the outdated modules, which caused the customer to miss out on important statistics.

Yandex.Metrics Reports module

To address these issues, Attico International checked compatibility and updated the core version from 7.66 to 7.96 along with several modules including webform, l10n_update, jquery_update, field_slideshow, colorbox, ckeditor, and yandex_metrics. This resulted in increased site performance, improved site security, and a more convenient and up-to-date module interface.

increased site performance

The Drupal 7 core upgrade process involved extracting everything from the archive except the sites folder, .htaccess, and robots.txt files. Attico International then went to site/update.php and clicked continue on all steps until a message appeared that everything was updated. After checking the local site for functionality, the changes were committed and pushed to the repository. Then, the team connected to the dev/prod via SSH, pulled the changes, and updated the database by running the ‘drush updb’ command.

updated the database

The module upgrade process was similar to the core upgrade, where an archive with a new version of the required module was downloaded from the site and checked for compatibility before replacing files.


Results

Results
  • Increased performance;
  • Increased security;
  • More convenient and up-to-date module interface;
  • Yandex.Metrics Reports module now works with the new Yandex.Metrics API. 

“Don’t store anything in the core. Store everything you need in directory sites.” — Aliaksandr, Backend Developer
 

Best Practices for Securing Your Drupal Website

  1. Keep Drupal Core and Modules Up To Date
    Updating your Drupal installation and installed modules is a simple way to improve security. Make sure to regularly apply available updates to avoid known vulnerabilities.
  2. Scan Your Website Regularly
    While scanning your Drupal-based website is not a cure-all, it can help identify security flaws. Consider using online services like Drupal Security Scan or open source utilities such as Droopescan to scan your website.
  3. Tailor User Permissions
    Take advantage of Drupal’s role-based access control framework to configure granular permissions for users. Follow the principle of least privilege to limit potential security risks.
  4. Take Advantage of Drupal Security Modules
    Enhance your website’s security by installing optional Drupal modules designed to improve security, such as Login Security and Captcha.
  5. Pick a Hosting Provider Focused on Security
    Choose a secure hosting provider to ensure that the environment you are using is protected at the hardware level.
  6. Use good passwords
    Strong passwords help lay the foundation for the security of Drupal and any other software platform. 
  7. Install an SSL certificate
    SSL certificates encrypt network traffic and prevent attackers from eavesdropping on information as it travels between servers and client computers.
  8. Make frequent backups
    Make frequent backups of your website’s files and database to quickly recover from security incidents or other issues.
     

Website security is a crucial aspect that requires instant attention to ensure a secure and smooth online experience for your visitors. Drupal, being a secure platform, is not exempt from potential threats, but it offers various security modules to help prevent and mitigate risks. Tips, such as module installation, website scanning, and tailoring user permissions, help you enhance the security of your Drupal website. We also recommend keeping Drupal core and modules up to date, using strong passwords, installing an SSL certificate, and making frequent backups of your website. 

Protect your business and your customers’ data by taking proactive steps to secure your website. Contact us now to learn more about how we can help enhance your Drupal website’s security

Get a free consultation

Related Items

CLS Score
How to Improve CLS Scores in PageSpeed for Drupal Sites Using the EU Cookie Compliance Module for Cookie Warnings

Solving the Layout Shift Issue by Cookie Consent Pop-Ups

3 min read
Drupal
By Dzmitry Hryn
less work more output
Drupal Multisite: Less Work, More Output

Maintaining an online presence often forces companies to build multiple websites, with a site for each brand, product, or country. Keeping up…

5 min read
Drupal
By Aliaksei Lyzo
Let's ask google
Is Drupal SEO friendly? Let's ask Google

Is Drupal SEO friendly? Good question. To get to the bottom of this, let's analyze the Google recommendations for website SEO optimization…

5 min read
Drupal
By Aliaksei Lyzo
less work more output
Storybook and Drupal

Storybook is an open source tool for building UI components and pages in isolation. It streamlines UI development, testing, and documentation.

7 min read
Drupal
By Volha Tsiamliak, Yaroslav Lushnikov
Attico International's New Brand Identity
Attico Enters a New Era of Growth and Sustainability with Rebranding Efforts

Attico has been a leading provider of innovative and top-notch digital solutions to customers worldwide for years. As we continue to grow and…

2 min read
Drupal, Marketing, QA
By Editor