Making Drupal secure with modules and a security auditPosted by SecurityAuditTeam on Apr 1, 2016 in Security Blog • 1 comment
Drupal is one of the world’s most popular open-source content management systems and is written using PHP. Drupal also has a wide community of open-source developers who contribute to modules and Drupal themes.
Drupal was developed considering security and still gets regular updates to fix any known security issues. Unfortunately, as with other platforms, hackers always try to find and exploit any detected security vulnerabilities in Drupal, its themes or modules.
Securing Drupal websites from Hackers
With online cyber-attacks forever on the rise, it makes sense to secure your Drupal installation as far as possible.
There are a lot of steps that you can take to achieve higher levels of security with Drupal. This tutorial guide will take you through the steps that you need to know in order to secure your Drupal website from hackers, as far as is practical.
We will cover how to perform a Joomla security audit of your installation, setting strong user names and passwords, file permissions and introduce many Drupal modules that can enhance your sites security.
- Drupal security audit
First of all, you should consider carrying out a Drupal security audit for your website. This will mean that you can produce a list of potential security issues which you can then address in order to secure your installation.
From simple matters such as changing file permissions and implementing strong passwords to data encryption, all security vulnerabilities should be addressed.
It is best to have some web development skills for the more complicated tasks and if you are in any doubt then you should seek out the services of a professional web developer. It is easy for novices to break websites if they are not familiar with what they are doing!
Now let’s take a look at the Drupal modules that can help with your sites security:
- Drupal Login Security:
This is a great Drupal module that allows you to secure your login forms. It provides limited failed login attempts. You can set this limit yourself blocking any IP addresses temporarily or permanently. The module can also be configured to email you a notification should a hacker attempt to perform brute force attacks on your Drupal sites login page.
Drupal Login Security can replace the Drupal core login message, and avoid showing the reason that the user was not authenticated! This makes life more difficult for an attacker to guess the account name to work out if it exists.
You can go to the Drupal website and download the module from this link: http://drupal.org/project/login_security
- Drupal Password policy
Drupal has a Password Policy module that sets the policy for passwords. With it installed you can set constraints during new password creation. Such things as password length, capital letters, special symbolic characters and numbers can all be set to be mandatory. The module also prevents the re-use of passwords and you can set a password expiry time too with this particular module.
Go to the Drupal website and download the module from this link: https://www.drupal.org/project/password_policy
- Security Review
Security Review is a very useful module for Drupal website installations. With it installed, you can perform automated testing for a wide variety of potential security issues. This module can test for the following:
- Valuable Protection against phishing
- Checks user access control
- Tests for system permissions to prevent any arbitrary code execution
- Protection against Cross Site Scripting (XSS) by disallowing tags in the input
- Provides Safe error reporting
- Secures any private files
- Allow the installation of only safe Drupal extensions
- Checks for database errors and failed login attempts
- Protect against any brute force attacks
Download this module from Drupal here: https://www.drupal.org/project/security_review
- Drupal Update Manager:
Drupal Updates are very important, new updates fix bugs in previous versions of Drupal. Drupal also pushes out new updates automatically with security bug fixes which you must apply. These fixes apply to both themes and modules that you have installed within your Drupal installation.
You can go to the Drupal website and download the module from this link: https://www.drupal.org/documentation/modules/update
- Drupal Flood Control
Even the strongest of user names and passwords can be cracked by Brute force given time. Hackers often employ this tactic to gain access to your valuable data. This particular module allows you to limit failed logins by IP address, limits failed login by username and also limits the sending out of emails. Flood control will also prevent you from small scale Denial Of Service(DOS) attacks.
Go to the Drupal website and download the module from this link:
- Cross Frame Scripting
This module will help you to implement a Content Security Policy (CSP) for your Drupal installations. This one adds security against various different security threats. It can handle origin HTTP request header to prevent cross-site request forgery attack in your application. It can also take control over the IE (Internet Explorer), Safari or Google Chrome browsers internal XSS filter via the X-XSS-Protection HTTP response header.
Another benefit is the prevention of content up-sniffing. An X-Frame-Options HTTP response header is included to prevent ‘click-jacking’ in an application. It prevents eavesdropping and ‘man in the middle’ attacks.
Go to the Drupal website and download the module from this link:
It is important nowadays to test if your sites visitors are human or robots. Captcha allows your site to test if your website visitor is human or an automated script. This makes it a vital security precaution. It will stop SPAM bots in their tracks.
You can go to the Drupal website and download the module from this link:
- Content Access
As another part of your Content Security Policy (CSP) you should consider installing the Content Access module too.
This module allows you to define the permissions for your content types by both user and role.
It allows you to set permissions for view, edit, or delete on any specific element of content by specific user or role. The module uses the ACL API to work. This means that you will also need to install the ACL module for the Content Access Module to work!
The Drupal website has a download link for the module here:
- Two-factor Authentication (TFA)
Two-factor Authentication allows you to enable two factor authentication into your Drupal website installation. It adds an extra layer of security into the login process. It does this by requesting new users to enter their phone number at the time of the accounts creation.
Next, it sends a verification code out each time the user attempts to login. Soon after entering their username and password, the user will receive a one-time password on their mobile phone.
Go to the Drupal site at this link: https://www.drupal.org/project/tfa
This advice, and a Drupal Security Audit combined with these modules, will massively enhance the security of any Drupal website installation.