A‌ ‌deep‌ ‌dive‌ ‌into‌ ‌Drupal‌ ‌security‌ ‌secrets‌

09 Sep 2020

Hello, dear reader! How is your website doing? Are you sure cyber criminals are not tempering with its data at this very moment? Without any rest or quarantine, they keep inventing new ways to compromise websites.

But there is also good news — your Drupal website can have a reliable protection. Drupal is a very secure system by itself, but you also have to use the right security practices in order to protect your site from trespassers. Welcome to explore Drupal security with the Golems Drupal development team.

Why is Drupal secure?

Drupal security is always listed among its strengths. It is recognized by industry experts. Let’s see what makes Drupal secure.

  • Open-source. Drupal is open-source, which means anyone can read its source code. Some people think it’s bad for security, because it allows hackers to take advantage of bugs. However, in reality, open source software is safer, because tracking and fixing security holes in it is quick and easy. This is done by active communities and dedicated security teams. In addition, absolutely anyone can report a security bug publicly, which adds openness and transparency to the process.
  • Security team. When it comes to a security team, Drupal can boast a very vigilant and professional one. They constantly monitor the security of the Drupal core and contributed modules, and whenever they spot a security vulnerability, they quickly spread information about it through so-called “security advisories.” They also fix the security issues and release Drupal security updates. Drupal security “guards” help developers fix bugs in their contributed projects and write user guides about security.
  • Coding standards. Strict coding standards are another Drupal security secret. Adherence to them significantly increases website safety. These standards are observed for the Drupal core and the best contributed modules and themes.
  • Encryption. Drupal security wins from a wide use of encryption techniques. For example, user passwords are saved in the database after they get encrypted. You can also set up encryption for any website components or for the entire database.
  • Permissions. One of the things a website admin immediately notices in Drupal is a detailed list of specific permissions for users based on their roles. This is a way towards a more granular control over users’ access to various actions on your website.
  • Security modules. Finally, Drupal has a wealth of security modules that serve different purposes and protect websites from different angles. We will give them a more detailed review in the next part of this blog post.

Necessary Drupal security practices

1. Regularly update your Drupal core and modules

Community contributions in the form of updates to the Drupal core, modules, and themes, regularly address various security issues. One of the key Drupal security tips is to simply use the latest versions of everything.

It’s easy to track the updates on your Drupal admin dashboard. They are listed on the Reports — Available Updates tab. You can easily see which Drupal core version you need, and which contributed modules and themes also require new versions. Optionally, click “Check manually” to run a check again.

All update operations should be performed after putting your website into the maintenance mode (the Drupal UI should do it automatically for you), with the backups done, and with database updated afterwards. Here are two key ways to perform an update:

  • Via the Admin UI. Click “Download” next to the specific module and then install it by clicking the “Install new module or theme” button. Or go to the “Updates” subtab, select all the projects you want to update, and click “Download these updates” at the bottom of the page. This procedure may require FTP access to your server.
  • Via Drush or Composer. When it comes to updating Drupal core, modules, and themes, the best practice is do it with the help of command-line tools such as Drush and Composer. They have commands to update modules to specific versions, to run security updates only, to update the Drupal core, and so on.

2. Restrict access to your files

An important Drupal security practice is setting up the right permissions to read, write, or modify your site’s files and directories. Drupal offers a guide on file permissions. Special attention needs to be paid to such files as cron.php, upgrade.php, authorize.php, and install.php. Access to them should be strictly prohibited to anyone except the primary administrator. The settings are available in the .htaccess file.

3. Set up the right user permissions

We have already mentioned the strong system of roles and permissions in Drupal. You can create any user roles based on your business scenarios and workflows. In addition to the default Administrator, Authenticated user, and Anonymous, these can be, for example, Blogger, Editor, Teacher, Broker, Vendor, Subscriber, etc. Each role has a set of very detailed permissions that you can (and should!) review and edit regularly, or whenever a new feature is introduced. All role and permission management is available on the People tab.

4. Get an SSL certificate

Using SSL for secure connection has become a standard of the web. An SSL certificate provides an encrypted exchange of data between the server and the browser according to the HTTPS (Hypertext Transfer Protocol Secure). Thanks to SSL, data becomes impossible to tamper with. You can buy an SSL certificate or get a free one from the Let's Encrypt non-profit authority. There are Drupal modules that help you with this such as LetsEncrypt, Drupal Letsencrypt, and more.

5. Do regular backups

If you have a good hosting provider, you probably have your data backups. They may come in handy in emergency cases if data recovery is needed. However, it’s better to not rely solely on your provider’s backups. You should set up your own regular backups of the database and Drupal file directory.

6. Use strong usernames and passwords

Using strong usernames and passwords helps you keep your site safe from brute force attacks. Unfortunately, many organizations stick to primitive options like “admin,” “111,” “administrator,” “test,” “adminuser,” “qwerty,” “password,” “1234567,” etc. Instead, they should use unique combinations of letters in the uppercase and lowercase, digits, and underscores. The number of symbols in a good password starts with 10. You can make strong passwords required by using modules like Password Strength or Password Policy that we are going to review in the Modules part (8).

7. Enhance your authentication policies

Prevent malicious users from entering your website by strengthening your authentication processes. These can be additional authentication factors like email verification, security questions, one-time passwords, SMS codes, etc. Use the CAPTCHA technique for protection from spam bots. It’s also a good Drupal security practice to limit the duration of a user session and provide automated logout. There are plenty of modules in this area, some of which we will describe in the Modules part (8).

8. Rely on Drupal security modules

For implementing the above and many more Drupal security practices, you can rely on special modules in this sphere. Their selection depends on your website’s configuration and requirements, however, here are some very nice ones for you to consider:

  • Security Kit helps you set up the HTTP response headers for protection against cross-site scripting, cross-site request forgery, clickjacking, and other attacks.
  • Paranoia finds places where it’s possible for users to evaluate PHP on your website via the administrative interface and then blocks this possibility.
  • Security Review gives your website a quick test on a number of factors such as safe file system permissions, safe upload extensions, absence of dangerous tags in content, etc.
  • Secure Login makes sure logins and other sensitive data is transmitted via HTTPS, even if the website uses both HTTP and HTTPS.
  • Login Security allows website admins to limit the number of login attempts, block a user by IP, be informed about brute force attack attempts, etc.
  • CAPTCHA adds a special test with an image to determine whether the user is human. This prevents submissions from spam bots or automated scripts.
  • Two-factor Authentication (TFA) adds a second step to user authentication by means of one-time passwords (TOTP), pre-generated codes, or integrations with Authy, Duo and other TFA services.
  • Password Policy enforces requirements that user passwords on your website should meet (the number of uppercase letters, digits, etc.)
  • Password Strength is a password enforcement tool that checks password strength based on the entropy of the common password patterns.
  • Automated Logout enables website administrators to automatically log users out after a certain time of inactivity.
  • Session Limit gives administrators an opportunity to limit the number of sessions a user can have simultaneously.
  • ClamAV checks all files that are uploaded to your site for viruses and makes sure the infected ones are not saved.
  • Ckeditor Nofollow will protect your website from spam links by adding rel="nofollow" to links using the CKEditor widget.
  • Anti Spam by CleanTalk serves as an invisible anti-spam protection that prevents spambot registrations, spam comments, and spam in contact forms.
  • Antibot is a lightweight module that protects your website from robotic form submissions in an innovative way — without interaction with users.
  • SpamSpan filter makes email addresses hard to access for spam bots that could otherwise collect them for newsletter spam.

9. Use security scanners on your Drupal website

There is never too much safety, so you can do regular checks with security scanners. Here are some of them that can be used for Drupal websites.

  • Drupal Vulnerability Scan by Pentest-Tools checks your Drupal website for vulnerabilities in the core, add-on modules and themes, and weak configuration that might need improvement.
  • Drupal Vulnerability Scanner by Acutenix is a fully-fledged security scanning tool that runs tests for vulnerabilities on your Drupal website. It is built with performance in mind, so it works fast even on high-traffic sites.
  • Drupal Security Scan by Hacker Target performs a simple, non-intrusive check of your Drupal website to quickly identify potential security issues, web server reputation issues, configuration errors, and more.
  • SUCURI SiteCheck scans your website for malware or viruses, checks its blacklist status, finds outdated CMS extensions, detects security-related configuration issues, and gives you useful safety recommendations.
  • Quttera offers malware detection and removal, a Web Application Firewall (WAF) to protect websites from malicious visits, domain blacklist checking, and other tools to keep your site safe. It works on a number of CMSs including Drupal.
  • SiteLock is a multi-purpose cybersecurity tool that works on any CMS and includes malware scanning functionality. You can run website checks against cyber threats, spam, XSS, SQLi, and more.
  • Detectify is a security scanning tool designed for multiple CMSs including Drupal, for which it has specific tests. Detectify’s team has created 2000+ security tests and updates them every week to meet upcoming vulnerabilities.
  • Droopescan is a plugin-based scanner that helps you identify security risks on your website. According to the creators, it is primarily meant for SilverStripe and WordPress but has partial functionality for Drupal.
  • Sqreen checks your website against common cyber threats such as cross-site scripting (XSS), SQL injection, DDoS attacks, clickjacking, MIME confusion, account takeover, communication data tampering, etc.

Stay safe with Golems!

Need a hand in installing and configuring Drupal security modules in the right way and implementing the best Drupal security practices on your website? Contact us! Security optimization as one of our Drupal services. We will be happy to help you stay safe!