Drupal Security: How to Secure & Protect Drupal
Posted on Posted in Security Advice

Drupal Security: How to Secure & Protect Drupal

How to secure a Drupal website

Knowing how to secure a Drupal website brings invaluable peace of mind to the people who depend on them. Learning how to improve Drupal site security lets you focus on business at hand, rather than constantly fixing problems as they arise.

Let’s cover the key aspects of securing your Drupal website.

Limit access to your Drupal site

Each individual with access to your Drupal website presents a set of risks that endanger the site as a whole. Here it’s wise to apply the principle of least privilege, or limiting access only to individuals who need it, and only for the least amount of time necessary.

Manage Drupal user accounts

Check user accounts to maintain awareness of who can log in, what type of access they have, and if they still need that access. Assign these people roles, which can use default settings or customized to include:

  • Administer — Perform any action on the site, such as adding content, and updating roles and permissions.
  • Access — Read-only access without the ability to add or modify content.
  • Create — Add content without the ability to modify it.
  • Maintain — Add and modify content.

Log in to Drupal admin, and then click People. Evaluate whether you need to remove users, or update their roles and permissions.

Click on Account Settings under People - Drupal
Click on Account Settings under People – Drupal

Use strong Drupal passwords

Like any website, Drupal depends on strong passwords to ensure every account is resistant to brute force attacks. Passwords that are easy to remember or speak might be more convenient, but they’re exponentially more vulnerable to automated scripts designed to crack passwords.

Make sure every password used to access your Drupal site includes these characteristics:

  • At least 1 uppercase character
  • At least 1 lowercase character
  • At least 1 digit
  • At least 1 special character
  • At least 10 characters (no more than two identical characters in a row)
A word about password keepers

These characteristics make passwords harder to guess, and also harder to remember. To help you keep track of and manage your passwords, use a password keeper to store and automatically enter passwords. There are a number of reputable free apps available, including LastPass, KeePass, and Myki.

Limit number of Drupal login attempts

Limiting login attempts to your admin interfaces helps prevent brute force attacks, where automated scripts attempt combinations of user name and password until one grants access.

By default, versions Drupal 7 and above limits logins to five failed attempts per user within six hours, and 50 per IP within one hour. If those are exceeded, further logins are blocked for six hours.

For versions prior to Drupal 7, you can add a security module that includes a feature for limiting login attempts. Download one, such as Login Security, from the Drupal module repository.

Restrict Drupal access to authenticated URLs

Use a Drupal security module or website firewall to allowlist IPs that can access your login page. This ensures only people you know and trust are able to bypass security and log in, effectively cutting off this attack vector used by bad actors.

Set up two-factor authentication (2FA)

Two-factor authentication is a security measure that relies on a device in your physical possession. Login credentials can be stolen or guessed, but 2FA requires access to a device like your desktop computer or mobile device. With 2FA in place, you must also enter a code sent to that device in order to log in to your Drupal user account.

You can set up two factor authentication via Drupal admin or by adding the module Two-Factor Authentication (2FA).

To set up two-factor authentication via Drupal admin:

  • Log in to Drupal admin.
  • Click Logged in as (your username). Your account page displays.
  • Go to Security, click Setup Application, and then enter your password.
  • Download the 2FA client for your device, and then open the 2FA client on your device.
  • On your device, enter the verification code from your Drupal admin session or scan the QR code. An application verification code displays.
  • In your Drupal admin session, go to Application verification code, enter the verification code from your device, and then click Verify and save.

Look for an email confirming you set up 2FA. Future logins will require you to enter a temporary code sent to your mobile device in addition to your Drupal username and password.

Monitor & detect Drupal hacks

Out of the box, Drupal comes with relatively strong security measures. However, there are numerous modules and other third-party technology you can employ to strengthen your Drupal website security.

Drupal security modules

Go to the Drupal module repository, and then search using the term security. You’ll find that over 1,500 modules come up. Here are five that merit immediate consideration:

  1. CAPTCHA — Implements a challenge-response test when users attempt to submit data.
  2. reCAPTCHA — Improves upon the CAPTCHA system.
  3. Backup and Migrate — Backs up and restores MySQL databases and code, and enables simpler site migration.
  4. Automated Logout — Logs out users after a specified period of inactivity.
  5. Two-Factor Authentication (TFA) — Adds a second login step beyond username/password, such as a code sent to a mobile device.

Drupal hosting security

The least secure types of hosting are typically easier to use, with plans often featuring an easy-to-understand interface and automated tasks like updating core files. A good rule of thumb is to select a plan requiring the greatest amount of manual interaction you can handle.

Less costly plans also tend to use shared environments. While these cost far less, your website risks infection should another site on the shared server get compromised. As you evaluate hosting providers, you’re likely to see these plans:

  • Managed hosting (beginner) — With automated functions and a shared environment, these plans are for people who have little hosting experience.
  • Shared hosting (intermediate) — Cost effectiveness comes with less security, as these plans use shared hosting. Site owners must install admin software like cPanel or Plesk.
  • Virtual private servers (advanced) — Featuring an isolated environment, these plans feature super-user permission and the ability to install any admin software.
  • Dedicated servers (pro) — With one website hosted on one server, mitigating risks such as cross-site contamination comes with a higher price and level of experience.

Drupal site owners with less experience should consider the first two options, while those with more knowledge and resources would benefit from the last two options. It’s also worth contacting hosting providers to see what kind of technical support they offer, as well as security services like malware scanning and removal.

Drupal backups

It would be unwise to assume a website will never encounter a problem that requires restoring a previous, healthy version. It’s essential to have a solution that regularly backs up versions of your website, and then lets you restore any of those backups as needed.

Some Drupal modules, such as Backup and Migrate, handle this function. Other third-party applications like our Website Security Platform offer a more robust solution. With either route you choose, make sure backups have these characteristics:

  • Offsite — Backups shouldn’t be stored on the website’s server because they often contain unpatched software with vulnerabilities. Their publicly-accessible location lets anyone exploit them to attack your live website. Off-site backups also help protect against hardware failure.
  • Automatic — Backups should be completely automated so they’re made on a regular basis. If a manual solution is your only option, make sure you schedule the backups regularly.
  • Redundant — According to Schofield’s Second Law of Computing, data doesn’t exist unless there are at least two copies. Your backup strategy has to include redundancy: backups of your backups.
  • Validated — Make sure the process actually works. Start with an empty web directory, and then verify backups will get all your data and the website back online with a test domain, using only the backup file.

To the inexperienced, maintaining volumes of backups might seem like overkill. But for the website owner who’s gone through the ordeal of recovering a hacked site, reliable backups are nothing short of a life-saver.

Drupal scanners

The longer a hack remains in place, the more damage it does and the more difficult recovery becomes. Regularly scan your Drupal website for issues or changes to file structures and extensions to stay on top of indicators of compromise.

When it comes to scanners, you’ll find they fall into two categories:

  • Remote — These scanners, including SiteCheck and UnmaskParasites, examine the public-facing components of your Drupal site, such as nodes and modules. They’re typically free and simple to use.
  • Server-side — Server-side scanners, such as the one included in our Website Security Platform, look not only at public-facing components, but deep into your website files and databases for a comprehensive wellness check.

Because remote scanners are typically free and easy to use, it’s safe to plan on scanning manually on an ad hoc basis. However, if you use a paid service for remote scans, be sure to configure automated functions like scan intervals and alerts.

Drupal Scanner - Sitecheck
Drupal Scanner – SiteCheck

Drupal security logs & audits

In many situations, you can apply common sense to figure out how to improve Drupal site security. When you maintain security logs, such as those provided by modules like Login History, you can check on important details like user logins and activity, timestamps, IP addresses, and password resets.

As you audit your logs, ask yourself questions like:

  • Who is logging in and why?
  • Why are they changing and why?
  • Why are they logging in at odd hours?
  • Did authentication succeed or fail?
  • Why was there a password reset?
  • Do file uploads seem normal?

Use common sense. For example, if a user is adding or deleting modules in the middle of the night, or if you’re getting a lot of failed logins from one IP, isolate the source of odd behavior and take the steps outlined throughout this guide to remediate the situation.

Drupal hardening tips

Learning how to improve Drupal site security involves hardening it against the most common attack vectors used by bad actors. Let’s take a look at the most important places to harden and the steps required.

Harden your web server

The server platform used by your Drupal website might seem like an unlikely target, but hackers continuously look for and attack web servers with lax security. Take these steps to harden your web server against attacks:

  • Avoid interfaces like cPanel or Plesk. These have their own sets of vulnerabilities that hackers can use as additional attack vectors.
  • Replace root logins with sudo access. Roof allows unlimited access, while sudo limits it only to specified actions.
  • Replace passwords with SSH keys. Rather than only remembering passwords, users must possess an SSH client that uses an encrypted connection.
  • Disable FTP/TCP/IP ports except 80, 443, 21, and 22. Filter port 22 for known IP addresses.

Harden PHP

PHP is a scripting language developed in 1994 that’s now used by more than 75% of sites on the web. Most CMS platforms, including Drupal, rely on it. This widespread adoption means PHP is also exploited by hackers, who can target the PHP configuration files on your web server. To protect your Drupal website, it’s necessary to harden this installation.

PHP hardening easily merits a guide all of its own. You can find many free resources to help you harden PHP yourself, such as guides you can find here. There are also extensions which work to patch PHP vulnerabilities. One of these is Suhosin, which is open source and free to download.

Delete unused databases

Keep your Drupal installation as clean as possible and avoid malware infections by removing old and unused databases. Before you start, copy your current Drupal database to a local file in case you need to roll back. Software like phpMyAdmin makes it easier to handle the administration of your database via the web.

Get started by making sure you have a recent backup of your site, and then putting your site in maintenance mode.

To enable maintenance mode for your Drupal website:
  • Log in to Drupal admin.
  • From Manage, go to Configuration, and then from Development, select Maintenance mode.
  • Tick Put site into maintenance mode.
  • In Message to display when in maintenance mode, enter a message for visitors during your updates.
  • Click Save configuration.
  • Verify your site is in maintenance mode with another browser or incognito tab.
Put the website in Maintenance mode - Drupal
Put the website in Maintenance mode – Drupal
Check the box Put site into maintenance mode - Drupal
Check the box Put site into maintenance mode – Drupal
To delete unused databases via phpMyAdmin:
        • Log in to phpMyAdmin.
        • Locate all databases and identify the one used in production.
        • Select and remove old and unused databases.
To disable maintenance mode for your Drupal website:
        • Log in to Drupal admin.
        • From Manage, go to Configuration, and then from Development, select Maintenance mode.
        • Untick Put site into maintenance mode.
        • In Message to display when in maintenance mode, delete the message for visitors during your updates.
        • Click Save configuration.
        • Verify your site is out of maintenance mode with another browser or incognito tab.
Uncheck the box Put site into maintenance mode - Drupal
Uncheck the box Put site into maintenance mode – Drupal

Disable the Drupal simpletest module

In order to avoid conflicts and possible security breaches remove or uninstall all unused modules from your Drupal installation, specifically the simpletest module.

Get started by making sure you have a recent backup of your site, and then putting your site in maintenance mode.

To enable maintenance mode & disable the Drupal simpletest module:
        • Log in to Drupal admin.
        • From Manage, go to Configuration, and then from Development, select Maintenance mode.
        • Tick Put site into maintenance mode.
        • In Message to display when in maintenance mode, enter a message for visitors during your updates
        • Click Save configuration.
        • Verify your site is in maintenance mode with another browser or incognito tab.
        • From Drupal admin, click Modules, and then tick Installed Modules.
        • Tick any unnecessary modules including simpletest, and then click Uninstall.

If the simpletest doesn’t appear in the modules list, you can delete it manually:

        • Use the same FTP client software as used in the installing process, with the same connection information.
        • Navigate to the Modules directory.
        • Move the simpletest module to your computer.
        • Remove the simpletest directory.
        • Check if your site is working correctly and keep the changes.

Please keep in mind the simpletest module is removed from core in Drupal 9.

To disable maintenance mode for your Drupal website:
        • Log in to Drupal admin.
        • From Manage, go to Configuration, and then from Development, select Maintenance mode.
        • Untick Put site into maintenance mode.
        • In Message to display when in maintenance mode, delete the message for visitors during your updates.
        • Click Save configuration.
        • Verify your site is out of maintenance mode with another browser or incognito tab.

Drupal security apps & services

Now that you’re closer to learning how to secure a Drupal website, let’s talk about some of the security apps and services that can make your life easier. We offer everything you need, but encourage you to shop around to ensure the right fit for your situation.

Drupal Web Application Firewall (WAF)

Sucuri’s team of security researchers keep the Drupal WAF updated with the latest threat signatures targeting Drupal. Those get blocked, while our Anycast CDN ensures greater site availability and load times that are 70% faster, on average. You can try our Drupal WAF free for 30 days.

Get Started

Drupal Security Platform

Our Website Security Platform includes multiple components (including the Drupal WAF) which work in sync for complete monitoring and detection, protection, and response.

Get Started

Drupal SSL certificates

An SSL certificate verifies that data transmitted to and from your website is encrypted by a secure sockets layer (SSL). While it doesn’t secure the site itself, it’s essential for protecting your visitors. In fact, it’s typically required for ecommerce merchants and other websites that store sensitive data, and search engines will even boost rankings for sites with an SSL.

Source link