In a previous post, I discussed several general Drupal security tips. In this article, I will focus on Drupal 7 security.
Drupal 7 is still the most popular version of Drupal, beating Drupal 8 by a huge margin. Even though Drupal 8 has entered the mainstream, Drupal 7 is still the choice of the community. As such, it is important to know how to secure Drupal 7 websites.
I will begin by listing popular Drupal 7 security related modules and will then share several important measures you should take to secure your website
Login Security Module: This is the simplest yet the most powerful security module out there for Drupal 7. This module limits the number of unsuccessful login attempts. Exceeding the preset numbers will block access for the particular user. You could also block an IP from login to the website (either temporarily or permanently). The module also sends you notifications about unsuccessful login attempts.
CAPTCHA Module: One of the most widely used and well-established security measure against bots, CAPTCHA for Drupal 7 is one of those modules that every website should have.
Password Policy Module: This module has everything you need to manage passwords for your website including complexity, length, expiry and the duration of validity of the password.
Duo Two-Factor Authentication Module: A method used by the largest websites out there like Google and Facebook cannot be that bad. It’s really, really difficult to go wrong with two-factor authentication. So just go ahead and further fortify your Drupal 7 defenses with this module.
File Integrity Check Module: If your website could have fingerprints, this module would be it. The function of this module is pretty simple but extremely useful. If any changes are made to your Drupal website, including its themes and modules, this module will immediately identify the changes and notify you.
Paranoia Module: When it’s the question of security, being paranoid can be very good. This module finds out all the places where one can access PHP from Drupal’s web interface and then blocks these points. The result is that so that no attacker could manipulate these points to gain higher permissions.
Security Review Module: As the name suggests, this module checks and generates alerts about all the possible security-related issues and points a user can overlook. Here’s a list of the checks that this module performs:
- Safe file system permissions (protecting against arbitrary code execution)
- Text formats don’t allow dangerous tags (protecting against XSS)
- Safe error reporting (avoiding information disclosure)
- Secure private files
- Only safe upload extensions
- Large amount of database errors (could be sign of SQLi attempts)
- Large amount of failed logins (could be sign of brute-force attempts)
- Responsible Drupal admin permissions (protecting against access misconfiguration)
- Username as password (protecting against brute-force)
- Password included in user emails (avoiding information disclosure)
- PHP execution (protecting against arbitrary code execution)
- Base URL set / D8 Trusted hosts (protecting against some phishing attempts)
- Views access controlled (protecting against information disclosure)
Update Manager Module: Another self-explanatory module that informs you about any updates that might be available for Drupal core, themes, modules.
Keep Your Drupal Website Updated: This is the first step towards ensuring your website’s safety. Always keep your Drupal website and all its constituents updated to the latest versions. There’s just no excuse for postponing the updates.
Regular Backups: Regularly backing up your Drupal website ensures that you always have a safe rollback point in case of a disaster. I have written a post about the Drupal 8 backup process. You can follow the procedure for Drupal 7 without any issues.
Disable Passwords in User Emails: You should always disable passwords being sent out in user emails. No matter how secure your emails are, there’s never a guarantee of the security of the emails on the user end. You could easily imagine the consequences of an email containing password(s) ending up in wrong hands.
Check User Roles: Continuously check user roles and associated permissions. Always make sure that a user only has the permissions that they need for executing their tasks on your website.
Block Default User: When you create a new Drupal website, a default user (with all the permissions for the website) is created. First, create a new administrator account and then delete this default user.
Limit File Types: Accepting files and images with all extensions is a huge security risk. Limit the type of extensions your website accepts to the trusted ones and block all others.
HTTPS Everything!: By default Drupal 7 runs over HTTP. This is very hazardous passwords over HTTP are sent as plain text, which is a very big security risk. As soon as you setup your website, enable HTTPS, a much more secure platform.
Scan Website Regularly: A regular scan of the website is a sensible idea that should be the part of the security processes for your Drupal website. A number of tools (online and offline) offer security vulnerability scan that points out security loopholes. You could easily plug these holes and carry out improvements to ensure continued security of the website.
Choose a Drupal Optimized Hosting Provider: In many cases, the easiest way of ensuring the security of your Drupal website is to opt for a Drupal-optimized hosting provider, These hosting providers ensure that your website remains protected at all times. If you are looking for a Managed Drupal Hosting Provider, Cloudways is the one for you. With security features such as SSL by Let’s Encrypt, security is the prime focus for Cloudways.