Nowadays, many people complain that their sites got hacked or someone changed their data.
So, in order to avoid these incidents from happening, we must secure our website. Below are some steps using which you can secure your website.
Fail2Ban: Prevent from Brute Force Attacks
It is a feature provided by the Plesk in order to prevent Brute Force attacks. It checks the logs for the number of failed login attempts from a single IP. And if the number reaches some predefined parameters, then it will either send an email notification or block the attacker IP for a certain period of time
To configure it, login to Plesk GUI and Go to Tools & Settings >IP Address Banning.
Firewall: Control Network Connections
It protects the server from incoming network connections. It is useful to either allow or deny connections to some ports which may be used by some services. As port 80 is used by HTTP service and it should be allowed through a firewall in order to open your website. However, port 3306 is used by the Mysql service, and it should be blocked from the firewall.
We can manage the firewall in the Plesk interface at Tools & Settings > Firewall.
ModSecurity: Prevent Web Applications from Attacks
It is a WAF i.e., Web Application Firewall. It is a module provided in order to protect the website from hackers and malicious content.
It checks all the incoming requests, and it also checks the modifications that are made in files against a set of predefined rules, and if the check succeeds, then it will let you modify or view the content; otherwise, it will block the IP.
Keep Drupal and Modules Up to Date: Always keep your Drupal websites up to date, as with every update, they fix the bugs and provide more features.
To update your Drupal website Go to Reports and click on Available Updates.
To Update Drupal Manually
Always use trusted modules, themes, and plug-ins. And taking backup is a must. As if your site got hacked, then it would be easy to roll back and restore using the last available backup.
Use Smart Usernames and Passwords :
Always use a complex username and password, which is hard to predict. Don't use default username "admin" as it is very predictable. This is one of the best ways to secure your drupal.
Use Drupal Security Modules: Drupal provides lots of security modules, which can protect your website from brute-force attacks. These modules enable you to block malicious networks, enforce the use of strong passwords, and scan for malicious data. Some of the modules are listed below.
Login Security: Limit the number of failed login attempts from a single IP and blocks it if it crosses a certain limit.
ACL: Provides authorization to access the nodes or services.
Password policy: It is used to impose strict password policy rules.
Captcha: It is used to check if the end-user is a person or bot.
Automated Logout: It logs out the end-user automatically after a specific amount of time.
Session Limit: Provides limit over the connection. It can be made per user at a time.
Content Access: Provides authorization to access the content by role and author.
Coder: Checks the vulnerability of codes.
SpamSpan filter: It protects from spamming.
Hacked!: Used to check if there are some changes to core.
Block Access to all Sensitive Files :
We should always block our sensitive files like upgrade.php, install.php, etc. to be accessed from external networks. So we will deny the same using .htaccess file and add below line in that file.
Mention the IP addresses which you want to allow to access the folders on your site:
Order deny, allowdeny from allAllow from 127.0.0.1
Database Security: Database security is the most important task if you want to keep your website secure as if the database got hacked, then the hacker can alter any data any password very easily. To secure the same always provide complex passwords that contain alphanumeric with special characters. Also, provide a custom role to users on the database.
Further, disable remote login to the database as well.
SSL certificate: SSL encrypts data over the network, which means the transaction of confidential data like username and password will travel encrypted over the network. If you don't use SSL, then the data will travel as a plain format over the network.