Complete Guide on Drupal Security
Drupal is an open source CMS and or framework that is used by at least 2.2% of all the websites on the internet, making it the 3rd most widely used CMS in the world. As with any major platform, additional security concerns also present themselves. Your risk of attack is greater and more vulnerabilities are constantly being discovered or exploited. Follow our complete guide below on what you can do to harden your Drupal security and help prevent yourself from getting hacked or becoming a victim of the next brute-force attack.
Drupal vulnerabilities
How at risk are you when it comes to Drupal? Well, according to CVE Details, an online security vulnerability data source, there are have been 290 vulnerabilities reported to date (since 2002).
If you read our previous post on WordPress security, the vulnerability percentage rate of Drupal if you compare market share to incident rate is less. So just from the data it appears that Drupal is the more secure CMS.
What types of vulnerabilities are they? According to CVE Details, 46% of Drupal vulnerabilities are cross-site scripting (XSS). You can see the additional breakup below.
You can stay up to date with security incidents and vulnerabilities on Drupal's official security advisories page. You can see security issues as they pertain to Drupal core, contributed projects, and also public service announcements. You can also subscribe via RSS or follow @drupalsecurity on Twitter.
Here is a great infographic describing exact process of how a Drupal security release is made available on Drupal.
Drupal security
Drupal is seeing steady growth as a CMS which means you are always at risk of being attacked or hacked. You can never prevent these things from happening 100% of the time, the best thing you can do is implement the best security practices to protect yourself. Follow the recommendations below to harden your Drupal security.
1. Keep Drupal and modules up to date
You should always keep your version of Drupal up to date as well as all of your modules. Developers patch these for a reason and if you fall too far behind you will open yourself up to a lot of vulnerabilities, as hackers generally target older versions. Such as the attack in October 2014 in which millions of Drupal websites were affected. You can always download the latest version of Drupal from drupal.org. In these examples we are using Drupal 8, which was released on November 19th, 2015.
- To run updates, navigate to Reports > Available Updates.
- You can then click on "Check manually" to scan for additional updates.
It is also recommended to only use trusted Drupal modules and themes. Get your modules and themes from the Drupal repository or from well-known companies. This will cause less problems for you in the future.
If you are installing Drupal for the first time you might see a warning about problems with your Drupal installation, referring to your "Trusted Host Settings" not being enabled.
As of January 2015, Drupal 8 supports trusted host patterns, where you can (and should) specify a set of regular expressions that the domains on incoming requests must match. Example configuration in settings.php
would read:
$settings['trusted_host_patterns'] = array(
'^www\.example\.com$',
);
Always back up your website! If you maintain regular backups this allows you to easily rollback if you are attacked, and restore your CMS. We also recommend running backups before you update your Drupal core and modules. Some managed Drupal hosts, such as Pantheon, offer one-click backups and restore as well as dev environments. This is great for testing things before pushing to production. Or you could also test your updates locally using software like XAMPP or MAMP.
There is also a very popular free backup and migrate module available for Drupal that we recommend. This module features:
- Backup/Restore multiple MySQL databases and code
- Backup of files directory is built into this version
- Add a note to backup files
- Smart delete options make it easier to manage backup files
- Backup to FTP/S3/Email or NodeSquirrel.com
- Drush integration
- Multiple backup schedules
- AES encryption for backups
This module is currently being ported to Drupal 8. Until then we recommend simply exporting your MySQL database and backing up files manually.
2. Use smart usernames and passwords
Be smart with your usernames and password in Drupal. Don't user "admin" as your username and choose a complex password. This is probably one of the best ways to harden your Drupal security, and ironically it is one of the easiest. However many people use something they can easily remember such as "1234567" and end up regretting later when they are caught with a brute-force attack. Remember there are bots constantly crawling the internet and as your site grows they will always be trying to spoof your login. See this guide on how to choose a strong password.
Approximately 76 percent of attacks on corporate networks involved weak passwords.
- Appliedi
Unlike WordPress where you have to change your username directly in the database, Drupal lets you update your administrator's username from the dashboard. Follow these quick steps.
- Click into the "People" > "Edit" next to your administrator account.
- Then simply change the value in the "Username" field and click "Save."
We also recommend using a free program like KeePass or KeePassX which allow you to generate secure passwords and store them in a database locally on your computer.
3. Use Drupal security modules
There are a lot of good Drupal security modules which will lock down your site and help protect you from brute-force attacks. These plugins allow you to block malicious networks, rate limit or block security threats, enforce strong passwords, scan for vulnerabilities, see which files have changed, implement a firewall to block common security threats, monitor DNS changes, and much more. Here are some popular Drupal security modules:
- Login Security: Limit number of login attempts and deny access by IP address.
- ACL: Access control lists for access to nodes.
- Password policy: Define more security password policies for users.
- Captcha: Block form submissions from spambots/scripts.
- Automated Logout: Allows administrator ability to log out users after specified time period.
- Session Limit: Limit the number of simultaneous sessions per user.
- Content Access: Permissions for content types by role and author.
- Coder: Checks your Drupal code against coding standard and best practices.
- SpamSpan filter: Obfuscates email address to help prevent spambots from collecting them.
- Hacked!: Check to see if there have been changes to Drupal core or themes.
There are two additional security modules which deserve a little more attention. The first is the Security Review module. We highly recommend taking advantage of this module as it automates testing for many of the easy-to-make mistakes that render your site insecure. Simply install and hit run and it will check your site.
You can also scan your site with Sucuri's Website Malware and Security Scanner and Unmask Parasites. If the test doesn't show any threats, it does not guarantee your website is completely secure, it just shows that the site poses no immediate threat to visitors.
The second security module we recommend enabling is the Two-factor Authentication (TFA) module to further prevent someone from getting access to your site. This module is currently being ported to Drupal 8. KeyCDN also now has two-factor authentication so you can secure Drupal on your web host as well as on your CDN provider.
4. Block bad bots
There are always bad bots, scrapers, and crawlers hitting your Drupal sites and stealing your bandwidth. Many of the security modules mentioned above can work great to block bad bots, but sometimes you might need to do this at the server level. If you wanted to block multiple User-Agent
strings at once, you could add the following to your .htaccess
file.
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(agent1|Wget|Catall Spider).*$ [NC]
RewriteRule .* - [F,L]
Or you can also use the BrowserMatchNoCase
directive like this:
BrowserMatchNoCase "agent1" bots
BrowserMatchNoCase "Wget" bots
BrowserMatchNoCase "Catall Spider" bots
Order Allow,Deny
Allow from ALL
Deny from env=bots
And here is an example on Nginx.
if ($http_user_agent ~ (agent1|Wget|Catall Spider) ) {
return 403;
}
KeyCDN also now has a feature that you can enable to block bad bots on the CDN side to save money on bandwidth.
5. Always use secure connections
No matter where you are you should always trying to ensure the connections you are using are secure. You should use SFTP encryption if your web host provides it, or SSH. If you are using an FTP client the default port for SFTP is usually 22.
Some FTP clients store passwords encoded or even in plain text on your computer. Even some encoded passwords can be converted back to the original. We recommend not saving FTP passwords in the client, or setting up what some call a master password.
It is also important to make sure your firewall rules are setup properly on your home router. And remember whenever you work from a public place like an internet cafe or Starbucks these are not trusted networks.
Your web host where your website resides should also be running secured hosting. This means they should be running up to date and supported versions of PHP, MySQL, account isolation, web application firewalls, etc. Be careful with cheap shared hosts as you can run into issues if they are overcrowding servers and sharing IPs.
6. Check file permissions
To protect your website you want to make sure and use the correct file permissions. Each directory and file has different permissions which allow people to read, write and modify them. If your permissions are too loose this could open up a door for an intruder and if they are too restrictive this could break your Drupal install as modules and Drupal core needs to be able to write to certain directories.
Drupal has good documentation on securing file permissions and ownership.
7. Block access to important files
You can restrict the access to some sensitive files like authorize.php
file, upgrade.php
file, cron.php
file and install.php
file via .htaccess
. This way no one except you can enter the core files of your site. See example below.
<FilesMatch "(authorize|cron|install|upgrade)\.php">
Order deny, allow
deny from all
Allow from 127.0.0.1
</FilesMatch>
8. Database security
Not only do you need to check permissions on your files and block access to important files, but there are also things you can do to harden the security on your Drupal database. The first thing we recommend is using a different table prefix. If you change this to something like x3sdf_
it will make it much harder to guess by an intruder and help prevent SQL injections.
You can change your table prefix on the setup screen when you are installing Drupal. On the set up database step, simply click on "Advanced Options" to see host, port number and table name prefix.
If you already have Drupal installed you can change the database prefix via phpMyAdmin. The second recommendation would be to change your database name to make it harder to guess. Especially if you named your database
9. SSL certificate
It always comes back around to moving to a secure web. For ecommerce sites, the reason you need an SSL certificate is because they are processing sensitive data. For other sites the biggest reason for this is your Drupal login page. If you aren't running over an HTTPS connection your username and password are sent in clear text over the internet. Many people will argue that blogs and informational sites don't need to be running on HTTPS, but how important are your login credentials? Also, many sites have multiple authors logging in from all sorts of different networks, so running over a secured connection can only help harden your Drupal security.
With the SEO advantages of HTTPS and performance benefits of HTTP/2 there is no reason not to be using an SSL certificate. And KeyCDN now also offers free SSL certificates with our Let's Encrypt integration.
10. Harden HTTP security headers
HTTP security headers provide yet another layer of security for your Drupal site by helping to mitigate attacks and security vulnerabilities. They usually only require a small configuration change on your web server. These headers tell your browser how to behave when handling your site's content. Below are six common HTTP security headers we recommend implementing and or updating.
- Content-Security Policy
- X-XSS-Protection
- Strict-Transport-Security
- X-Frame-Options
- Public-Key-Pins
- X-Content-Type
Make sure to check out our in-depth post on HTTP security headers.
Summary
As you can see there are many ways you can harden your Drupal security. From keeping Drupal core and modules up to date, being smart with usernames and passwords, using security plugins, secure connections, database security tricks, two-factor authentication, file permissions, using an SSL certificate and more. Many of these recommendations can be implemented within a matter of minutes and you can rest easy knowing your Drupal site a little more secure from intruders and hackers.
Have any other good Drupal security tips that you think we missed? If so, let us know below in the comments!