15 Drupal Security Best Practices – Step-By-Step Guide 2024

Drupal CMS is being used by various important organizations. In certain countries, it is used by governments also. This admiration can be attributed to its open-source framework and the spectrum of modules on Drupal. The modules enable site administrators to organize, customize and manage content easily on Drupal. But, despite the plus points, it is not to be denied that Drupal does suffer cyber-attacks. And that too, often. In the wake of this ever-increasing cybercrimes, hardening Drupal Security becomes paramount.

Hence with this article, I aim to provide you with all the essential & actionable Drupal security measures to secure your site. If you followed these measures diligently, you are bound to enhance your website’s security. But, before we start with the measures, let’s take a look at the Drupal hacking statistics. After which, we will take on Drupal security practices one-by-one.

Drupal Hacking Statistics – Let’s Talk About Numbers

According to CVE details, there are 324 vulnerabilities that have been reported in Drupal CMS since 2002. Even though it is less as compared to WordPress (1822 CVE entries), it sure is troubling. So, what are the types of vulnerabilities that imperil Drupal CMS? See the chart below for answers-

As we can make out from this, XSS accounts for 45.6% of all the vulnerabilities that exist currently in Drupal. There are many unknown vulnerabilities that remain exposed on this CMS platform. Hence, it becomes very important to discuss Drupal Security. Let us now see what all measures can be taken up to harden Drupal Security.

Related Post – Hacking Statistics 2019

Top 15 Drupal Security Measures

1. Update Drupal and Modules

It is important to keep the versions of your Drupal website along with the modules updated. These updates contain patches for various Drupal Security vulnerabilities. If you are not updating your website, then you are just exposing it to numerous vulnerabilities. For instance, in October 2014, hackers targetted millions of Drupal websites by exploiting the old versions.

Hence, to update your website, just do the following:

For Drupal 7.x

1. Navigate to “Reports > Available Updates”.

   

2. Select “Check manually” option to look up for any other updates.

   

For Drupal 8.x

1. Navigate to “Reports > Available Updates”.

   

2. Select “Check manually” option to look up for any other updates.

   

Apart from this, it is recommended that you install and use trusted Drupal modules and themes. Install modules only from renowned companies or from the Drupal repository. This will ensure less trouble for Drupal security.

Starting from Drupal 8, now you can set a configuration to check incoming requests and allow only those which match the rules. Otherwise, they will be blocked. An instance of the configuration using regular expressions in settings.php is as follows:

$settings[‘trusted_host_patterns’ = array(
‘^www\.trustedwebsite\.com$’,
);

2. Perform Regular Drupal website Backups

A backup is the easiest way to restore your website in case the worst comes true. Now, a backup should include all the things that are elemental to your website’s functioning. Generally, a working backup includes Drupal core as well as module files. This helps in quick recovery and rollback after you have been attacked.

Pantheon, a managed Drupal Host, offers a feature such as one-click backup and restore. Moreover, they also provide sandbox environments for testing purpose before introducing them in the main version. You can also use software such as XAMPP or MAMP to locally test updates before pushing them on the live website.

For Drupal 8, the renowned and free of cost module “Backup and Migrate” is available which does the job quite efficiently. The different components that it offers are:

• Backup/Restore of multiple MySQL databases and code
• Backup of files directory and adding a note to it for easy identification
• Smart options for deletion and easy management of backup files
• Backup of data to FTP/S3/e-mail or Node Squirrel
• Drush integration
• Different schedules for performing backups which are AES encrypted

3. Use crafty usernames and passphrases for Drupal Security

According to Applied, approximately 76% of the attacks on corporate networks involve weak passwords. Hence, we not only recommend that you have a complex password but also have a unique username which cannot be easily predicted by a hacker. This is one of the easiest hacks for improving Drupal Security. Still, most users go for easy to remember credentials such as “Admin/1234567” and end up regretting when their login is spoofed due to a brute-force attack.

The username and password of the administrator can be changed directly from the Drupal dashboard as follows:

For Drupal 7.x

1. Click on My Account>Edit on the dashboard.

   

2. A window with account settings will open. Enter your unique username & password here save the changes.

   

For Drupal 8.x

1. Click on My account>Edit on the dashboard.

   

2. A window with account settings will open. Enter your unique username & password here save the changes.

   

Alternatively, you may also use an online password generator to generate strong & secure passwords free of cost. It generates the passwords and stocks them in a database locally on the user’s computer.

4. Use Drupal Security Modules

There are numerous Drupal Security modules which offer security to your website by prevention of continuous hacking attempts. These segments enable a user to inspect malicious networks, check the rate limit or thwart security threats, impose strong passwords, monitor for vulnerabilities, check for file modifications, implement a firewall to block common security threats, monitor DNS changes and a lot more. Some of the recommended modules are discussed as follows:

a. Login Security Module

It is an important Drupal Security module. It restrains the rate of login attempts and intercepts access. The attempts may be limited and specific IP addresses can be blocked temporarily or permanently. This module can be configured in a way such that whenever a brute-force is attempted on the login page, you are notified about it. The module is available at this link. Steps to install:

For Drupal 7.x

1. Download the module from the above-mentioned link.
2. Extract it to the folder: sites/all/modules/contrib (contrib is a subfolder that is used to store third-party modules)
3. Go to Modules> Install a module. A new page will open up.

   

4. Insert the details and hit the ‘Install‘ button.

   

For Drupal 8.x

1. Download the module from the above-mentioned link.
2. Extract it to the folder: sites/all/modules/contrib (contrib is a subfolder that is used to store third-party modules)
3. Go to Extend> Install a module. A new page will open up.
   

   

4. Insert the details and hit the ‘Install‘ button.

   

For more options on configuring this module, one can refer to the formal memo.

b. Password Security Module

This Drupal Security module helps in configuration of user password policies. You can also set Password validity using this module. Adding to that, you may also set instructions for setting a password and prompt the user to change the password regularly. Download this module from the official Drupal website.

c. CAPTCHA Module

CAPTCHA is an important feature which can enhance Drupal Security. It differentiates automated login attempts by bots from genuine attempts by humans. Add the official CAPTCHA module from Drupal website or you can also use Google ReCaptcha module.

d. Drupal Security Review Module

This module is responsible for conducting a security audit of your Drupal website. It, then, suggests if your website’s security needs changes or not. Apart from that, this plugin is useful in the following security risk assessments:

• Secure file system permissions (protection against arbitrary code execution)
• Dangerous tags in text formats to protect against XSS
• PHP or Javascript in content
• Safe error reporting (avoiding information disclosure)
• Secure private files
• Safe upload extensions
• Presence of database errors (a sign of SQLi attempts)
• Presence of failed login attempts (a sign of brute-force attempts)
• Responsible Drupal admin permissions (protecting against access misconfiguration)
• Whether username has been set as password (protection against brute-force)
• Password included in user emails (prevention of information disclosure)
• PHP execution (protection against arbitrary code execution)
• Base URL set/D8 Trusted hosts (protection against phishing attempts)
• Check for access-controlled views (to protect against information disclosure)

Download this module from here.

e. Update Manager Module

This Drupal Security module informs about the latest available updates in Drupal software & themes. You can customize the frequency of updates and other options such as notification. Installing this module will ensure that you do not skip any update. Not to mention that an updated Drupal website keeps threats at bay. Download this module from the official Drupal website.

f. Duo Two-Factor Authentication Module

Multi-Factor authentication is always secure than single-point authentication. Enabling this security measure adds an extra layer of security to your website. Further, this module restricts any fake authentication on your website. Only the users with valid authentication can have access to the Drupal panel. Invariably, it adds to the Drupal security. This module can be download from this link.

g. Paranoia Module

Since PHP SQLi is a common vulnerability present in Drupal website, hence this Drupal Security module evaluates all the PHP via Drupal’s interface and then blocks those. By installing this security module, the hackers won’t be able to get escalated privileges on your website and thus, give you added security. It has the following features in it:

• Impairs bestowing of the privilege “use PHP for block visibility”.
• Impairs creation of input formats that use the PHP filter.
• Impairs editing the main.
• Impairs authorization of risky permissions.
• Does not allow anyone to disable this plugin unless they are authorized.
• One can download it from here – https://www.drupal.org/project/paranoia.

h. File Integrity Check Module

This Drupal Security module checks the current installation of Drupal, the contributing modules, and themes. It checks for any changes that may have been done on them and any such changes are reported to the administrator on an emergency basis.

This module, in an abstract manner, lets the website administrator maintain a “fingerprint” of the entire site when it is in an untainted stated. However, it does not check for files in public:// upload directory. The module can be configured to periodically compare the site to the initial “fingerprint” and report discrepancies as follows:

• Modified files and directories
• Potential backdoors (unauthorized file addition to the site)
• File removed from the site
• Files writeable by the web-server
• This module can be downloaded from this link.

5. Block the malicious bot traffic

As your Drupal website expands its outreach, there are numerous bad bots, scrapers and crawlers, which hit your website and steal your bandwidth. A comprehensive list of bots can be obtained from this link. Although, most of the above-mentioned security modules can work great to block bad bots, sometimes, it becomes a necessity to configure for the same at the server level. To block multiple User-Agent strings at once, one can insert the following piece of code into the .htaccess file:

RewriteEngine On

ReWriteCond %{HTTP_USER_AGENT} ^.*(agent1|Wget|Catall Spider).*$ [NC]

RewriteRule .* - [F,L]

One may alternatively also use BrowserMatchNoCase directive as follows:

BrowserMatchNoCase “agent1” bots

BrowserMatchNoCase “Wget” bots

BrowserMatchNoCase “Catall Spider” bots

Order Allow,Deny

Allow from ALL

Deny from env=bots

An instance code from Nginx is as follows:

if($http_user_agent ~ (agent1|Wget|Catall Spider)){
return 403;
}

6. Always Connect Securely

Using secure connections makes for the next Drupal security practice. You must always use SFTP encryption if offered by your web host or SSH. If you are using an FTP client, ensure that you use SFTP from port 22.
From a client-side perspective, you can take the following Drupal Security measures:

• Do not save FTP passwords or set up a master password. This is because, in most of the cases, the passwords are not encoded and stored in plaintext which makes them exposed to a hacker.
  Set up the firewall rules properly on the home/local router.
• Do not access your website on public networks available in cafeteria or railway stations and airports as they are never secure.
• From the server-side perspective, the following measures must be taken:
• Deploy proper Hosting security on your website
• Settle only for the updated versions of PHP, MySQL by the hosting service provider.
  The account must be properly isolated and web application firewall must be configured. Astra has an exclusive web application firewall for Drupal Security. For a demonstration, click here.
• Avoid shared hosting as it may lead to issues such as overcrowded servers and shared IPs. Apart from that, shared hosting has its own security risks and concerns. In Astra, we have discussed the various security concerns associated with shared hosting in this article.

7. Secure Drupal File Permissions

The files present on your website directory store important information and instructions which are crucial for the smooth functioning of your website. Hence, they must be protected from unauthorized access by setting up different permissions to allow read, write and modify operations over them. If the permissions are not set up properly, then an intruder may gain access to the personal information associated with your business.

Also, excessively strict file permissions can cause damage to your Drupal installation and modules. Also, it may hamper the efficiency as Drupal core needs to be able to write to certain directories. One may also consult the official documentation on securing file permissions and ownership in Drupal’s official website.

Related Blog – Drupal File & Folder Permission

8. Block Access to Important Files

You may also choose to selectively block access to some of the sensitive files present in your Drupal website directory. These include:

• authorize.php
• upgrade.php
• cron.php
• install.php

The access can be blocked by defining the permissions in the .htaccess file. Thus, no unauthorized person can obtain access to crucial files. A code instance is as follows:

<FilesMatch “(authorize|cron|install|upgrade)\.php”>
Order deny, allow
deny from all
Allow from 127.0.0.1
</FilesMatch>

You may like to give a read to this dedicated article by Astra on Drupal File Permissions here.

9. Securing the Backend

File permissions, security modules, and strong passwords are not sufficient to secure your Drupal website. It is additionally important to harden the security of your Drupal database. The first measure is to use a unique table prefix which makes it harder to predict by an intruder. This will also help in the prevention of SQL injection.

A. One can set the table prefix in the setup screen while installing Drupal.

During the setup phase

1. Click on “Advanced Options”.
2. Check for the host, port number and table prefix.
3. Update the table prefix accordingly.

If Drupal is already installed

1. Log in to phpMyAdmin account.
2. Select the table inside the database.
3. Update its name and save it.

B. The second measure is to change the database name to make it tough to predict.

10. SSL Certification

SSL certificate enables HTTPS which helps in processing the data securely. The login page of your Drupal website must have an SSL certificate to secure the credentials of your website users. If you are not using HTTPS connection, then all the credentials and other valuable data face the risk of being intercepted. Without SSL, this data will be sent over the internet in cleartext. Additionally, the HTTPS/SSL certificate has numerous SEO advantage and performance benefits. Hence, get an SSL certificate from a trusted organization to secure data tranfer on your website.

11. Harden HTTP Security Headers

Securing the HTTP header is the next Drupal security measure. These headers communicate with the browser and instruct it how to govern different operations over your website content. You can secure these only via a small configuration change on your web server.

Some of the recommended common HTTP security headers for your Drupal website are:

• Content-Security Policy
• X-XSS-Protection
• Strict-Transport-Security
• X-Frame-Options
• Public-Key-Pins
• X-Content-Type

12. Use a Drupal Malware Scanner

Malware scanner comes handy in uncovering hidden malware on your website. Thus, it is extremely important that you scan your website periodically for malware. Usually, the malware remains hidden for weeks before it catches attention. Malware can harm your website in numerous ways. Blacklisting, black hat SEO, Defacement are only a few to name. Obviously, malware removal can start only after it is discovered. Hence, use a malware scanner to optimize your threat mitigation mechanism and decrease your downtime.

13. Deploy a Web Application Firewall

A web application firewall is a great way to monitor your website continuously for attacks. A firewall like Astra’s work incessantly to thwart coming cyber attacks. It protects your website from SQLi, XSS, CSRF, LFI, RFI, bad bots, spam, OWASP top 10 and 100+ other attacks. The best part is that it learns from the past and optimizes for the future. The Astra Firewall also facilitates IP/country blocking and whitelisting.

14. Perform Security Audits

No doubt automated solutions help Drupal security immensely. But, measures like a security audit requires human vigilance. It is necessary that a team of real humans scan your website for any security threats.  Hence, hire a security expert who may check upon the user’s activity patterns and inform you in advance how well does your vulnerability score fare

15. Sanitize Inputs from Text Fields and Upload Section

Input sanitization and validation are extremely important to check prevalent SQL injection and XSS attacks on Drupal. A hacker may try to execute malicious code or may try to upload a malicious script which can compromise the security of your Drupal website. So, set up an input validation function or logic for all user inputs. This will add to the strictness of the upload section.

Conclusion

Securing your Drupal is crucial; given the fact, that threats are only going to rise. Also, it is important for the Drupal web owners to possess a thorough understanding of best Drupal security practices. I hope I have been successful in educating you about the workings of Drupal security. However, the human mind is far from infallible. Hence, feel free to comment below the security measures we may have forgotten.

Update [December 2020]:
Recent Security Updates in Drupal Core

1. Arbitrary PHP code execution during file uploads [CVE-2020-28948] [CVE-2020-28949]

A critical arbitrary PHP code execution vulnerability tracked as SA-CORE-2020-013 is discovered in file upload process of Drupal core.

• Fixed Date: November 25, 2020
• Affected Drupal versions: Drupal 7.x, Drupal 8.8.x, Drupal 8.9.x, Drupal 9.0.x
• Issue fixed in the respective Drupal versions: Drupal 7.75, Drupal 8.8.12, Drupal 8.9.10, Drupal 9.0.9 (Update Immediately)

2. Remote code execution during sanitization of file uploads [CVE-2020-13671]

A critical RCE vulnerability tracked as SA-CORE-2020-012 is discovered in file name sanitization process of file upload in Drupal core.

• Fixed Date: November 18, 2020
• Affected Drupal versions: Drupal 7.x, Drupal 8.8.x, Drupal 8.9.x, Drupal 9.0.x
• Issue fixed in the respective Drupal versions: Drupal 7.74, Drupal 8.8.11, Drupal 8.9.9, Drupal 9.0.8 (Update Immediately)

3. Information Disclosure vulnerability in File Module [CVE-2020-13670]

A moderately critical information disclosure tracked as SA-CORE-2020-011 is present in the File module of Drupal core that can allow attackers to gain access to the file metadata of a permanent private file, if exploited.

• Fixed Date: September 16, 2020
• Affected Drupal versions: Drupal 8.8.x, Drupal 8.9.x, Drupal 9.0.x
• Issue fixed in the respective Drupal versions: Drupal 8.8.10, Drupal 8.9.6, Drupal 9.0.6 (Update Immediately)