Top 10 Practical Security Tips For Your Drupal Website

Drupal is a free, open-source platform for web content and user communities. It powers some of the busiest sites on the web, and can be adapted to virtually any design. Drupal runs over a million Websites, including the White House, Louvre, Los-Angeles City and the University of Oxford. Drupal over the past years has become the most favorite CMS for large corporations and educational institutions. All this reputation and fame attracts hackers and crackers.

If you are a Drupal user and wants to protect your website from hackers and attackers, then keep reading. Here, I will share with you the Top 10 Practical Security tips that can strengthen your website’s security with many external references. Let’s begin:

Securing your Drupal Website - Boutros AbiChedid.

1. Follow Drupal Security News

Follow the Drupal security news on a regular basis in order to get alerts of any security updates. You can also get security advisories from these places:

There are several Security risk levels defined in Drupal. You can also calculate the risk level for a security issue with the Risk Calculator.

2. Remove Unused Modules

If you are not using a module, just remove it. Old modules present a security risk and increase maintenance time. Also unused modules will slow down the system and bloat your Drupal installation.

Relevant References

3. Use Drush to Update your Website

Drush (Drupal Shell) is a command-line shell and scripting interface for Drupal, designed to make life easier for those who spend their working hours using the command prompt.

It gets annoying and time consuming very quickly when downloading Drupal modules and core from Website and applying them to your Drupal code base manually through FTPS or through the Admin’s interface. If you want to make this a smooth experience, you can use several Drush commands.

To be able to use Drush command line interface, you need to have Drush installed and setup for your Drupal Website.

You can cross-check what has changed

pm-update --pipe (alias: up --pipe): lists projects that need to be updated. Well, you can then go to and cross-check the release notes to view what has changed.

You can also run the updates in a single process

Drush pm-update (alias: up) – Update modules, Drupal core and themes and also install any pending database updates.

It is important to keep your Drupal core and modules up-to-date.

Relevant References

4. Check Status Report on a Regular Basis

The Status report, in your Drupal Admin at /admin/reports/status will warn you about any issues with your code base, such as out of date Drupal core, modules or database updates.

Also make sure that, the core update manager module at /admin/modules is enabled (this module is enabled by default) so that you can get update notifications on a regular basis.

5. Limit Access to Your Important Files

You can block the access to some important files, such as upgrade.php, install.php file and update.php through .htaccess configuration file.

The .htaccess file is located in the root of your Drupal install. By adding the block of code to your .htaccess file, you can restrict the access to some sensitive files from the public and allowing access to specific domains.

Below, is the standard block of code I use. Of course, change the domain(s) or block of domains to yours.

#Drupal7-Restrict access to these files to specific domains only.
#Do NOT INCLUDE cron.php, authorize.php  - not needed here. 
   Order deny,allow
   deny from all
   Allow from 128.112. 140.180.
 <FilesMatch "(install|update).php">
   Order deny,allow
   deny from all
   Allow from 128.112. 140.180.  #put your domain(s) here.
<FilesMatch "web.config">
   Order deny,allow
   deny from all
   Allow from 128.112. 140.180.  #put your domain(s) here.
<FilesMatch "test.bak">
   Order deny,allow
   deny from all
   Allow from 128.112. 140.180.  #put your domain(s) here.
<FilesMatch "php.ini">
   Order deny,allow
   deny from all
   Allow from 128.112. 140.180.  #put your domain(s) here.

6. Limit Administrative Access

If you limit administrative access to few people, you will have less of a chance of an attacker compromising your site down the road. Revisit user access at /admin/people and make sure that the site’s Admins have the approriate level of access. They have exactly the permissions they need, NO MORE AND NO LESS.

Only allow access where it is needed, and make all access policies deny by default. There needs to be a clear, documented roles of who has access to what.

Drupal has an excellent permissions management system that will allow you to manage access rights (More in the references below.)

Relevant References

7. Secure your Login Operation

If you are the website’s administrator, then it is better to restrict the number of invalid and repetitive login attempts, and also make sure that the originating IP addresses trying to break into your Website are banned either temporarily or permanently.

You can do this by using a Drupal module called Login Security. This module not only restricts unauthorized access attempts, but also notifies you by email.

8. Block User #1

The Drupal account created during installation (user #1) is a special account that has all the permissions by default. Failing to secure this account could result in potential security risks.

Go to /admin/people, choose the user#1, and make sure that the user’s status is blocked. First make sure that you already created another Admin account.

Relevant Reference

9. Backup your Drupal Website

This tip applies to Drupal and to any other CMS. Always have the habit of backing up your Drupal site on regular basis. In case your Website has been hacked, you can recover from your last backup.

You can backup your files and Database manually or you can backup automatically using the Backup and Migrate module or you can use Drush to backup.

Backups that can not be restored are not worth much, so make sure to test your backups from time to time.

Relevant References

10. Choose a Safe and Reliable Hosting

Last but not least, there are countless of web hosting companies nowadays, but not all of them offer a safe and protected environment (They won’t tell you that). Thus, it is better for you to select a reliable web host that can reduce hacking frequencies by using some of the cutting-edge technologies such as SSL, SSH, and Firewalls and also have excellent and responsive customer support in the event you encounter issues with your Website.

Bottom Line, do your homework before you choose your hosting company.

Wrapping Up!

In this post, I discussed top 10 practical security tips for your Drupal Website to protect your site from hackers and crackers. By following these handy tips, you can strengthen your Drupal website’s security quickly and easily.

Also in this post I listed many excellent external references relating to Drupal security. Go ahead check them out and strengthen your knowledge.

If you have anything to say, please share your opinion in the comments section. Your opinion matters, unless it is a Spam.

About the Author |
Boutros is a professional Drupal & WordPress developer, Web developer, Web designer, Software Engineer and Blogger. He strives for pixel perfect design, clean robust code, and user-friendly interface. If you have a project in mind and like his work, feel free to contact him. Connect with Boutros on Twitter, and LinkedIn.
Visit Boutros AbiChedid Website.

Comments are closed.