Web Security And Drupal – What You Should Know
Drupal has become one of the most popular solutions for web developers who prefer having a more reliable and secure content managing system. Drupal has an excellent community of professional developers worldwide who play a big role in making it more secure by participating in the contribution of a variety of themes, modules, and new features. It also comes prepacked with the complete LAMP set of modules, so frequently updating it is the best possible way of making that security last.
Just by regularly updating Drupal and the proprietary set of modules, the probability of your server drops by up to 30%. That said, no matter how secure it is still has some vulnerabilities, due to the fact that modules and themes aren’t only contributed by the developers, but also by the users, which poses a certain degree of risk. To help you combat that risk, we have prepared these five security modules which can easily be integrated into Drupal.
1. Login Security
This is one of the first modules you should enable in order to raise the security level of your website’s login operation. Although Drupal prevents IP access to complete content by default, with this module the admin has the ability to control the access to the server by using a basic login form. This allows him to deny the access to the website based on the IP or block the IP after a certain number of login attempts. Another great feature is that the admin gets a notification via email every time someone tries to use the login form. Alternatively, the Login Security module can disable Drupal’s login error messages, making it even more difficult for the attacker to find out whether that account actually exists.
2. Password Policy
Password policy is a module that defines or limits the password policies. To elaborate more on this, a hacker can use the reset password form in order to gain access to the website, and this module literally makes the password changing process a little more complicated for the average user, but allow for far greater security. Each limitation calls for a particular parameter which has to be satisfied and some of those parameters in the latest version of Drupal Include:
- Character types
- Delay
- Digit
- Digit placement
- Length
- Letter
- Letter/Digit
- Lowercase
- Uppercase
- Username
- Punctuation
3. Security Review
Hailed as one of the most useful Drupal modules available, Security Review is a module used to automatically test for easy-to-make security errors. It only takes a couple of clicks to install and is fairly easy to operate and it contains security features such as protection against XSS and arbitrary code execution, protection against access misconfiguration and brute-force password cracking attempts, securing private files, avoiding the disclosure of information, protection against phishing, etc. What you need to remember is that this module doesn’t make any changes automatically and you have to manually secure the website by using the results provided by the checklist.
4. TFA or Two-factor Authentication
Although the Drupal admin area requires you to generate a username and a password in order to warrant authentication, this process can further be made more secure by adding the TFA or Two-factor Authentication module. It requires an additional authentication step by requesting you to enter a special code received via email, SMS or using an authentication app such as Google Authenticator. Not to mention it supports a number of context-specific exceptions and fallback methods you can use on both your server and your website.
It is a base module, which means it integrates into Drupal by itself and provides the admin with a well-tested out and flexible interface you can use to enable different two-factor authentication options including using pre-generated codes, SMS-delivered codes, TOTP or one-time passwords and even allow for integration of third-party services. All the data stored on the module is encrypted using PHP mcrypt library, which means that you will have to install the mcrypt extension in order to use this module.
5. Secure Pages Hijack Prevention
Another excellent module for an additional layer of security, it prevents the hijackers from accessing the SSL pages, while at the same time allowing the users to stay logged in while browsing any non-SSL pages. This module also provides security for the login form, both on the login block and on the user page. This is why Web Design experts from Sydney recommend installing this module for all securepages users looking for an added level of the website, as well as server security.
These are just some of the security modules available for the Drupal content managing system. Other modules you might find useful include the Update Manager, Content Access, ACL, CAPTCHA and SpamSpan filter. Using them will ensure that you have the best protection against attackers and vulnerabilities, but bear in mind that the more modules you have installed, the greater the chances of your website loading slower. Think about what kind of website you’ll be making, who will be its core user group and what type of content and information will you be hosting, and choose the modules accordingly. Drupal is the most secure CMS out there, but that doesn’t mean that you shouldn’t take a few extra steps to make that security last.
Author bio:
John Stone is a web entrepreneur and an SEO Consultant. Through years of experience, he became a devout believer in the notion that form should always follow function and that developing the ability to think outside of the box is a prerequisite of being a successful entrepreneur. You can find him on Twitter.