Drupal is an open-source CMS that is used on the internet. As with any major platform, additional security concerns are also there. Here are the ways to harden our Drupal security and also prevent ourselves from getting hacked or becoming a victim of the next brute-force attack :
1. Keep Drupal and Modules Up to Date: we should always keep Drupal version up to date as well as all of our modules. Here we are using Drupal 8.
- To run updates, navigate to Reports -> Available Updates.
- For Manual Updates
It is also recommended to only use trusted Drupal modules and themes and always back up your website. If you maintain regular backups it allows us to easily rollback if you are attacked, and restore your CMS. It is also recommended running backups before you update Drupal core and Modules.
2. Use Smart Usernames and Passwords: Be smart with your usernames and password in Drupal. Don't use 'admin' as your username and choose a complex password. This is probably one of the best ways to harden our Drupal security.
3. Use Drupal Security Modules: There are a lot of good Drupal security modules that will lock down your site and help protect you from brute-force attacks. These plugins allow you to block malicious networks, rate limit or block security threats, enforce strong passwords, scan for vulnerabilities, see which files have changed, implement a firewall to block common security threats, monitor DNS changes, and much more. Here are some popular Drupal security modules:
- Login Security: Limit the number of login attempts and deny access by IP address.
- ACL: Access control lists for access to nodes.
- Password policy: Define more security password policies for users.
- Captcha: Block form submissions from spambots/scripts.
- Automated Logout: Allows administrator ability to log out users after the specified time period.
- Session Limit: Limit the number of simultaneous sessions per user.
- Content Access: Permissions for content types by role and author.
- Coder: Checks your Drupal code against coding standards and best practices.
- SpamSpan filter: Obfuscates email address to help prevent spam-bots from collecting them.
- Hacked!: Check to see if there have been changes to Drupal core or themes.
4. Block Access to all Sensitive Files: We never want our important folders, core files - upgrade.php., install.php, authorize.php, cron.php to be accessed by others. So we should provide limited access to others.
We can easily do that by configuring our .htaccess file. It's the one containing details of crucial importance regarding your website access and credentials to specific parts and core files on your site:
Just specify the IP addresses allowed to access those core folders on your site:
Order deny, allow
deny from all
Allow from 127.0.0.1
5. Database Security: Not only do we want to secure the files and folders but we need to harden the security on our Drupal database. The first thing is using a different table prefix.
6. SSL certificate: For eCommerce sites, the reason you need an SSL certificate is that they are processing sensitive data. If you aren't running over an HTTPS connection your username and password are sent in clear text over the internet. So running over a secured connection can help you harden your drupal website.
These are the ways we can secure Drupal.
Run your Drupal CMS on our cPanel cloud servers here