Top 10 Practical Security Tips For Your Drupal Website
Drupal is a free, open-source platform for web content and user communities. It powers some of the busiest sites on the web, and can be adapted to virtually any design. Drupal runs over a million Websites, including the White House, Louvre, Los-Angeles City and the University of Oxford. Drupal over the past years has become the most favorite CMS for large corporations and educational institutions. All this reputation and fame attracts hackers and crackers.
If you are a Drupal user and wants to protect your website from hackers and attackers, then keep reading. Here, I will share with you the Top 10 Practical Security tips that can strengthen your website’s security with many external references. Let’s begin:
1. Follow Drupal Security News
Follow the Drupal security news on a regular basis in order to get alerts of any security updates. You can also get security advisories from these places:
- Twitter (@drupalsecurity)
- Email list – Register or Log in to drupal.org, and then go to user profile page and subscribe to the security newsletter on the Edit > My newsletters tab.
- Drupal Security advisories.
There are several Security risk levels defined in Drupal. You can also calculate the risk level for a security issue with the Risk Calculator.
2. Remove Unused Modules
If you are not using a module, just remove it. Old modules present a security risk and increase maintenance time. Also unused modules will slow down the system and bloat your Drupal installation.
Relevant References
- How to Uninstall a Drupal 7 Module.
- VIDEO: How to Remove Unused Drupal Modules.
3. Use Drush to Update your Website
Drush (Drupal Shell) is a command-line shell and scripting interface for Drupal, designed to make life easier for those who spend their working hours using the command prompt.
It gets annoying and time consuming very quickly when downloading Drupal modules and core from drupal.org Website and applying them to your Drupal code base manually through FTPS or through the Admin’s interface. If you want to make this a smooth experience, you can use several Drush commands.
To be able to use Drush command line interface, you need to have Drush installed and setup for your Drupal Website.
You can cross-check what has changed
pm-update --pipe (alias: up --pipe)
: lists projects that need to be updated. Well, you can then go to drupal.org and cross-check the release notes to view what has changed.
You can also run the updates in a single process
Drush pm-update (alias: up)
– Update modules, Drupal core and themes and also install any pending database updates.
It is important to keep your Drupal core and modules up-to-date.
Relevant References
- Specific instructions for installing Drush on Different Platforms.
- Drush Commands Reference.
- Drush Repository.
- Drush on Github.
- My top 10 Drush commands + read the comments section for other great Drush commands.
4. Check Status Report on a Regular Basis
The Status report, in your Drupal Admin at /admin/reports/status will warn you about any issues with your code base, such as out of date Drupal core, modules or database updates.
Also make sure that, the core update manager module at /admin/modules is enabled (this module is enabled by default) so that you can get update notifications on a regular basis.
5. Limit Access to Your Important Files
You can block the access to some important files, such as upgrade.php, install.php file and update.php through .htaccess configuration file.
The .htaccess file is located in the root of your Drupal install. By adding the block of code to your .htaccess file, you can restrict the access to some sensitive files from the public and allowing access to specific domains.
Below, is the standard block of code I use. Of course, change the domain(s) or block of domains to yours.
123456789101112131415161718192021222324252627 | #Drupal7-Restrict access to these files to specific domains only. #Do NOT INCLUDE cron.php, authorize.php - not needed here. < FilesMatch "(MAINTAINERS|INSTALL|INSTALL.mysql|CHANGELOG).txt"> Order deny,allow deny from all Allow from 128.112. 140.180. </ FilesMatch > < FilesMatch "(install|update).php"> Order deny,allow deny from all Allow from 128.112. 140.180. #put your domain(s) here. </ FilesMatch > < FilesMatch "web.config"> Order deny,allow deny from all Allow from 128.112. 140.180. #put your domain(s) here. </ FilesMatch > < FilesMatch "test.bak"> Order deny,allow deny from all Allow from 128.112. 140.180. #put your domain(s) here. </ FilesMatch > < FilesMatch "php.ini"> Order deny,allow deny from all Allow from 128.112. 140.180. #put your domain(s) here. </ FilesMatch > |
6. Limit Administrative Access
If you limit administrative access to few people, you will have less of a chance of an attacker compromising your site down the road. Revisit user access at /admin/people and make sure that the site’s Admins have the approriate level of access. They have exactly the permissions they need, NO MORE AND NO LESS.
Only allow access where it is needed, and make all access policies deny by default. There needs to be a clear, documented roles of who has access to what.
Drupal has an excellent permissions management system that will allow you to manage access rights (More in the references below.)
Relevant References
- Users, roles and permissions in Drupal7.
- User Roles.
7. Secure your Login Operation
If you are the website’s administrator, then it is better to restrict the number of invalid and repetitive login attempts, and also make sure that the originating IP addresses trying to break into your Website are banned either temporarily or permanently.
You can do this by using a Drupal module called Login Security. This module not only restricts unauthorized access attempts, but also notifies you by email.
8. Block User #1
The Drupal account created during installation (user #1) is a special account that has all the permissions by default. Failing to secure this account could result in potential security risks.
Go to /admin/people, choose the user#1, and make sure that the user’s status is blocked. First make sure that you already created another Admin account.
Relevant Reference
- Securing user #1.
9. Backup your Drupal Website
This tip applies to Drupal and to any other CMS. Always have the habit of backing up your Drupal site on regular basis. In case your Website has been hacked, you can recover from your last backup.
You can backup your files and Database manually or you can backup automatically using the Backup and Migrate module or you can use Drush to backup.
Backups that can not be restored are not worth much, so make sure to test your backups from time to time.
Relevant References
- Backing up a site.
- Backup your database and files.
- Backup Using the Command Line.
10. Choose a Safe and Reliable Hosting
Last but not least, there are countless of web hosting companies nowadays, but not all of them offer a safe and protected environment (They won’t tell you that). Thus, it is better for you to select a reliable web host that can reduce hacking frequencies by using some of the cutting-edge technologies such as SSL, SSH, and Firewalls and also have excellent and responsive customer support in the event you encounter issues with your Website.
Bottom Line, do your homework before you choose your hosting company.
Wrapping Up!
In this post, I discussed top 10 practical security tips for your Drupal Website to protect your site from hackers and crackers. By following these handy tips, you can strengthen your Drupal website’s security quickly and easily.
Also in this post I listed many excellent external references relating to Drupal security. Go ahead check them out and strengthen your knowledge.