2. About Drupal
Drupal is an open-source content
management system (CMS) written in
PHP. It provides a complete framework
for developers. Around 2.3% of the
world’s website have adopted Drupal
to manage their content.
These websites range from blogs to
corporate sites and even some
government websites. Drupal is the
3rd most widely accepted CMS in the
world.
Nonetheless, it doesn’t take anything away from the fact that you need to
implement right security measures. Not only Drupal but everything that goes
into making your website must be protected. But in this blog, we are going to
focus only on best practices for Drupal security. Follow the measures below for
remarkable Drupal security.
2
Just like any other major platform out
there, there exists security danger on
Drupal as well. However, Drupal is a
more secure platform compared to its
peers. Going by the numbers by CVE
Details.
Drupal has a low percentage of
vulnerabilities compared to its market
share. 46% of these vulnerabilities are
cross-site scripting. Click here for the
detailed breakup of the vulnerabilities.
3. Enforce these
measures for
securing your
Drupal
website
3
1. Update to the latest version of Drupal core &
Drupal modules
2. Install security modules
3. Choose a reputed hosting provider
4. Download reliable modules
5. Enable https
6. Block access to your important files
7. Back up regularly
5. “
Whether it is your operating system, your antivirus, your browser or Drupal itself, running
the latest versions is the least you can and should do. The updates not only bring new
features, they also improve security by means of bug fixes and hardening.
More often than not, the susceptibilities present in the past versions are eliminated in the
newer versions. Moreover, you must upgrade your modules as well. This is because the
modules are quite often the cause of misery.
Therefore, administrators must keep checking the update report at regular intervals and keep
updating!!!
5
6. 2.
INSTALL
SECURITY
MODULES
6
There are many modules which help you find any loopholes in the
website code and fix them. These third-party security modules are
checked and verified by the extended Drupal community. Therefore,
you can be sure that they won’t cause you any trouble. There are
tons of Drupal modules which assist you to fortify web security.
7. Here are
some of the
most useful
Drupal
security
modules:
7
Coder
Secure Pages
Hijack
Prevention
SpamSpan
Username
Enumeration
Prevention
Automated
Logout
Password
Policy
8. ▪ Password Policy
Using this module, you can establish a set
of rules for passwords. For example, the
site admin can enforce the rules
demanding one upper case letter, one
number, one special character. This
module can also help you implement
password expiration. Consequently, the
user is forced to renew his/her password
on regular basis.
8
▪ Username Enumeration Prevention
Sometimes, the attackers try to get
access to a website using brute force
cracking. In this method, the attacker
doesn’t try to crack the code. Instead,
he/she tries to guess the username and
keeps guessing until valid username isn’t
entered. This module stops such attacks
by not displaying the error message.
This way the attacker won’t be able to
figure out if the username exists or not.
Thus, failing the brute force attacks.
9. ▪ Automated Logout
This module allows the administrator to
define a time limit for a session. It means
that the user will get logged out
automatically if he/she remains inactive for
a specific period.
9
▪ SpamSpan
The SpamSpan module allows the user
to obfuscate email addresses so that
spambots cannot collect them. This way
chances of malware and ransomware
attacks by spam emails are reduced
drastically.
10. ▪ Coder
The coder module allows the
administrators to verify that the website
code meets the Drupal coding standards.
10
▪ Secure Pages Hijack Prevention
This module prevents hijacked sessions
from accessing pages that are SSL-
enabled, while it allows users to stay
logged in while they’re on non-SSL
pages.
11. 3. CHOOSE
A REPUTED
HOSTING
PROVIDER
Drupal works efficiently on MySQL and PHP supported servers. So,
make sure you choose a server that supports Drupal. Opt for a reputable
hosting provider even if you have to spend an extra few bucks. The
hosting provider must perform regular backups and implements regular
fixes.
11
12. 4.
DOWNLOAD
RELIABLE
MODULES
12
Granted, modules take the experience of Drupal to the next level.
However, you should be very mindful before pressing the download
button. Make sure that the module has a sizable number of downloads.
The chances of a module being insecure are thin if a module has a good
number of downloads. Even if some vulnerability occurs, it will be solved
quickly as it affects a large population. Also look when it was updated the
last time. The higher number of updates it has, the better it is from a
security point of view.
14. “
Be it any website, e-commerce, social media, government or even a small blog, there always exists a
substantial risk of data getting compromised. These attacks have become a common phenomenon
nowadays.
Every month, we hear news of big data breaches. Such attacks are regarded as man-in-the-middle
(MITM) attacks. How do you prevent these attacks? Encryption. To secure the connection between the
user and the server, you must install an SSL certificate on the server.
As a result, cyber criminals won’t be able to intercept and tamper the information transferred back and
forth between the server and the client. Apart from the secure connection, SSL certificates also help
you fare better in the search engine rankings.
14
15. 6.
BLOCK
ACCESS TO
YOUR
IMPORTANT
FILES
15
Using .htaccess you can restrict access to some of your highly important
files such as install.php and upgrade.php. Use the below code to protect
your delicate files.
<FileMatch “(authorize|cron|install|updgrade).php”>
Order deny, allow
deny from all
Allow from 126.0.0.1
</FileMatch>
16. 7.
BACK UP
REGULARLY
16
Last but not the least. This practice is often underrated and ignored
by many website administrators. If your website gets hacked or you
lose its access because of ransomware attack, you can rebuild your
Drupal website if you have the data intact. So back up your site
regularly.
17. Final Words
When it comes to website security, nothing can be guaranteed.
One moment it all runs smooth as silk, and you could be staring
at your own shadow in the blank screen at the very next
moment. Let’s face it — you don’t want it, we don’t want it,
anybody doesn’t want it — except the culprits.
You must do everything in your hands to make sure that it
doesn’t happen to you. The aforementioned practices will
definitely help you take your Drupal website security to the next
level.
17
18. Thank you very much
for your time
18
If you have any questions about this document please
don’t hesitate to contact us at:
▪ https://cheapsslsecurity.com/blog/
▪ https://twitter.com/sslsecurity
▪ https://www.facebook.com/CheapSSLSecurities
▪ https://plus.google.com/+Cheapsslsecurity