Drupal Security Guide: How to Secure & Protect Your Website

Introduction

Play Video about How to clean a hacked Drupal site - Nate

A content management system (CMS) like Drupal makes it easy to get yourself online. As a result, website security can sometimes come as an afterthought. After all, you just put so much time and energy into launching with Drupal, why worry about how to secure it?

For starters, congratulations! You’re a website owner now. But if you don’t think about website security, nobody will. Use this guide for Drupal website security to set yourself up for success, and then let it be a handy reference to make sure you stay protected.

Why is Drupal security important?

At the time this guide was published, Drupal powered more than 2% of all websites, with more than 2 million active Drupal sites worldwide. By focusing on Drupal, bad actors can develop more successful schemes that incorporate the unique characteristics of this popular CMS.

But don’t let that scare you away from using this powerful CMS. Any platform you choose is eventually going to encounter malicious activity online. Protecting yourself is a matter of understanding the threat landscape, and then keeping Drupal security importance top of mind.

Drupal security vulnerabilities & threats

From a high level, you’ll find Drupal security issues are much like ones you’ll find for any other CMS, but there are a few more specific aspects. Drupal is awesome because it empowers you to do so much with your website. Don’t let that convenience let you become complacent with these important vulnerabilities and threats.

Please note, the directions and screenshots in this guide apply to the latest version (Drupal 8 at the time of its publication).

Out-of-date themes & modules

When developers push out updates for themes and modules, they often include security patches for known Drupal security vulnerabilities. Delaying these updates can invite attacks from bad actors. Keeping your themes and extensions up to date helps avoid Drupal website threats.

Before starting any update to your Drupal website, make sure you have reliable backups (more on that later). This is especially important if you’re installing a theme or module for the first time.

You can check for available updates from Drupal admin. Click Reports, and then click Available updates. From here, you can either run updates via Drupal admin (if you got them from Drupal) or FTP (if you got them manually).

Get started by enabling maintenance mode.

To enable maintenance mode for your Drupal website:

  • Log in to Drupal admin.
  • From Manage, go to Configuration, and then from Development, select Maintenance mode.
  • Tick Put site into maintenance mode.
  • In Message to display when in maintenance mode, enter a message for visitors during your updates.
  • Click Save configuration.
  • Verify your site is in maintenance mode with another browser or incognito tab.

Put the website in Maintenance mode – Drupal

Check the box Put site into Maintenance mode – Drupal

Now that your Drupal site is in maintenance mode, find and run any necessary updates.

To update Drupal themes & modules via admin: 

  • Log in to Drupal admin.
  • From Manage, go to Configuration, and then from Reports, go to Available updates, and then select Update.
  • Select the themes or modules you want to update, and then click Download these updates.
  • Click Continue.
  • Click Run database updates.
  • Click Continue.

Navigate to Reports – Drupal

Select Available updates – Drupal

Select Update – Drupal

Select the module or theme you would like to update – Drupal

Check the box and click Download these updates – Drupal

Click Continue – Drupal

Wait for the update to be installed – Drupal

Click on Run database updates – Drupal

A word about failed updates via admin

If there is a misconfiguration in your server, a module will display requesting FTP credentials to complete the update. Make sure you’re using a secure connection before entering your FTP username and password, and then clicking Continue.

After your updates complete, disable maintenance mode.

To update Drupal themes & modules via FTP:

  • Use an FTP client to upload the updates to your Drupal codebase.
  • In your web browser, enter your website URL followed by /update.php.
  • Select the themes or modules you want to update, and then click Download these updates.
  • Click Continue.
  • Click Run database updates.
  • Click Continue

After your updates complete, disable maintenance mode.

To disable maintenance mode for your Drupal website:

  • Log in to Drupal admin.
  • From Manage, go to Configuration, and then from Development, select Maintenance mode.
  • Untick Put site into maintenance mode.
  • In Message to display when in maintenance mode, delete the message for visitors during your updates.
  • Click Save configuration.
  • Verify your site is out of maintenance mode with another browser or incognito tab.

Uncheck the box Put site into maintenance mode – Drupal

Audit Drupal modules

Drupal modules make it easy to expand the functionality of your website, and you’ll likely try out several of these as you perfect your Drupal website. However, it’s important to be mindful that each module can present its own vulnerabilities which you should be aware of.

Periodically perform an audit of all the modules you downloaded to make sure they’re still necessary and the best available solution for your desired function. Find each module in the Drupal module repository, and then evaluate:

  • Maintainers — Ideally there should be several of these individuals who commit to maintaining a module with updates and bug fixes.
  • All issues — Does your module seem to have issues on a regular basis? If there’s a module with fewer issues, it might be a better choice.
  • Bug report — Check the frequency of reported bugs, as well as the time between reporting and resolution.
  • Documentation — If you need help with a module, quality documentation makes life a lot easier.
  • Development — Is your module actively developed? If not, look for another similar module that is.

Did you know?

The Sucuri Firewall can help virtually patch attacks against your website.

How to secure a Drupal website

Knowing how to secure a Drupal website brings invaluable peace of mind to the people who depend on them. Learning how to improve Drupal site security lets you focus on business at hand, rather than constantly fixing problems as they arise.

Let’s cover the key aspects of securing your Drupal website.

Limit access to your Drupal site

Each individual with access to your Drupal website presents a set of risks that endanger the site as a whole. Here it’s wise to apply the principle of least privilege, or limiting access only to individuals who need it, and only for the least amount of time necessary.

Manage Drupal user accounts

Check user accounts to maintain awareness of who can log in, what type of access they have, and if they still need that access. Assign these people roles, which can use default settings or customized to include:

  • Administer — Perform any action on the site, such as adding content, and updating roles and permissions.
  • Access — Read-only access without the ability to add or modify content.
  • Create — Add content without the ability to modify it.
  • Maintain — Add and modify content.

 

Log in to Drupal admin, and then click People. Evaluate whether you need to remove users, or update their roles and permissions.

Click on Account Settings under People – Drupal

Use strong Drupal passwords

Like any website, Drupal depends on strong passwords to ensure every account is resistant to brute force attacks. Passwords that are easy to remember or speak might be more convenient, but they’re exponentially more vulnerable to automated scripts designed to crack passwords.

Make sure every password used to access your Drupal site includes these characteristics:

  • At least 1 uppercase character
  • At least 1 lowercase character
  • At least 1 digit
  • At least 1 special character
  • At least 10 characters (no more than two identical characters in a row)

 

A word about password keepers

These characteristics make passwords harder to guess, and also harder to remember. To help you keep track of and manage your passwords, use a password keeper to store and automatically enter passwords. There are a number of reputable free apps available, including LastPass, KeePass, and Myki.

Limit number of Drupal login attempts

Limiting login attempts to your admin interfaces helps prevent brute force attacks, where automated scripts attempt combinations of user name and password until one grants access.

By default, versions Drupal 7 and above limits logins to five failed attempts per user within six hours, and 50 per IP within one hour. If those are exceeded, further logins are blocked for six hours.

For versions prior to Drupal 7, you can add a security module that includes a feature for limiting login attempts. Download one, such as Login Security, from the Drupal module repository.

Restrict Drupal access to authenticated URLs

Use a Drupal security module or website firewall to allowlist IPs that can access your login page. This ensures only people you know and trust are able to bypass security and log in, effectively cutting off this attack vector used by bad actors.

Set up two-factor authentication (2FA)

Two-factor authentication is a security measure that relies on a device in your physical possession. Login credentials can be stolen or guessed, but 2FA requires access to a device like your desktop computer or mobile device. With 2FA in place, you must also enter a code sent to that device in order to log in to your Drupal user account.

You can set up two factor authentication via Drupal admin or by adding the module Two-Factor Authentication (2FA).

To set up two-factor authentication via Drupal admin:

  • Log in to Drupal admin.
  • Click Logged in as (your username). Your account page displays.
  • Go to Security, click Setup Application, and then enter your password.
  • Download the 2FA client for your device, and then open the 2FA client on your device.
  • On your device, enter the verification code from your Drupal admin session or scan the QR code. An application verification code displays.
  • In your Drupal admin session, go to Application verification code, enter the verification code from your device, and then click Verify and save.

 

Look for an email confirming you set up 2FA. Future logins will require you to enter a temporary code sent to your mobile device in addition to your Drupal username and password.

Monitor & detect Drupal hacks

Out of the box, Drupal comes with relatively strong security measures. However, there are numerous modules and other third-party technology you can employ to strengthen your Drupal website security.

 

Drupal security modules

Go to the Drupal module repository, and then search using the term security. You’ll find that over 1,500 modules come up. Here are five that merit immediate consideration:

  • CAPTCHA — Implements a challenge-response test when users attempt to submit data.
  • reCAPTCHA — Improves upon the CAPTCHA system.
  • Backup and Migrate — Backs up and restores MySQL databases and code, and enables simpler site migration.
  • Automated Logout — Logs out users after a specified period of inactivity.
  • Two-Factor Authentication (TFA) — Adds a second login step beyond username/password, such as a code sent to a mobile device.

 

Drupal hosting security

The least secure types of hosting are typically easier to use, with plans often featuring an easy-to-understand interface and automated tasks like updating core files. A good rule of thumb is to select a plan requiring the greatest amount of manual interaction you can handle.

Less costly plans also tend to use shared environments. While these cost far less, your website risks infection should another site on the shared server get compromised. As you evaluate hosting providers, you’re likely to see these plans:

  • Managed hosting (beginner) — With automated functions and a shared environment, these plans are for people who have little hosting experience.
  • Shared hosting (intermediate) — Cost effectiveness comes with less security, as these plans use shared hosting. Site owners must install admin software like cPanel or Plesk.
  • Virtual private servers (advanced) — Featuring an isolated environment, these plans feature super-user permission and the ability to install any admin software.
  • Dedicated servers (pro) — With one website hosted on one server, mitigating risks such as cross-site contamination comes with a higher price and level of experience. 

 

Drupal site owners with less experience should consider the first two options, while those with more knowledge and resources would benefit from the last two options. It’s also worth contacting hosting providers to see what kind of technical support they offer, as well as security services like malware scanning and removal.

Drupal backups

It would be unwise to assume a website will never encounter a problem that requires restoring a previous, healthy version. It’s essential to have a solution that regularly backs up versions of your website, and then lets you restore any of those backups as needed.

Some Drupal modules, such as Backup and Migrate, handle this function. Other third-party applications like our Website Security Platform offer a more robust solution. With either route you choose, make sure backups have these characteristics:

  • Offsite — Backups shouldn’t be stored on the website’s server because they often contain unpatched software with vulnerabilities. Their publicly-accessible location lets anyone exploit them to attack your live website. Off-site backups also help protect against hardware failure.
  • Automatic — Backups should be completely automated so they’re made on a regular basis. If a manual solution is your only option, make sure you schedule the backups regularly.
  • Redundant — According to Schofield’s Second Law of Computing, data doesn’t exist unless there are at least two copies. Your backup strategy has to include redundancy: backups of your backups.
  • Validated — Make sure the process actually works. Start with an empty web directory, and then verify backups will get all your data and the website back online with a test domain, using only the backup file.

 

To the inexperienced, maintaining volumes of backups might seem like overkill. But for the website owner who’s gone through the ordeal of recovering a hacked site, reliable backups are nothing short of a life-saver.

Drupal scanners

The longer a hack remains in place, the more damage it does and the more difficult recovery becomes. Regularly scan your Drupal website for issues or changes to file structures and extensions to stay on top of indicators of compromise.

When it comes to scanners, you’ll find they fall into two categories:

  • Remote — These scanners, including SiteCheck and UnmaskParasites, examine the public-facing components of your Drupal site, such as nodes and modules. They’re typically free and simple to use.
  • Server-side — Server-side scanners, such as the one included in our Website Security Platform, look not only at public-facing components, but deep into your website files and databases for a comprehensive wellness check.

 

Because remote scanners are typically free and easy to use, it’s safe to plan on scanning manually on an ad hoc basis. However, if you use a paid service for remote scans, be sure to configure automated functions like scan intervals and alerts.

Drupal Scanner – SiteCheck

Drupal security logs & audits

In many situations, you can apply common sense to figure out how to improve Drupal site security. When you maintain security logs, such as those provided by modules like Login History, you can check on important details like user logins and activity, timestamps, IP addresses, and password resets.

As you audit your logs, ask yourself questions like:

  • Who is logging in and why?
  • Why are they changing and why?
  • Why are they logging in at odd hours?
  • Did authentication succeed or fail?
  • Why was there a password reset?
  • Do file uploads seem normal?

 

Use common sense. For example, if a user is adding or deleting modules in the middle of the night, or if you’re getting a lot of failed logins from one IP, isolate the source of odd behavior and take the steps outlined throughout this guide to remediate the situation.

Drupal hardening tips

Learning how to improve Drupal site security involves hardening it against the most common attack vectors used by bad actors. Let’s take a look at the most important places to harden and the steps required.

Harden your web server

The server platform used by your Drupal website might seem like an unlikely target, but hackers continuously look for and attack web servers with lax security. Take these steps to harden your web server against attacks:

  • Avoid interfaces like cPanel or Plesk. These have their own sets of vulnerabilities that hackers can use as additional attack vectors.
  • Replace root logins with sudo access. Roof allows unlimited access, while sudo limits it only to specified actions.
  • Replace passwords with SSH keys. Rather than only remembering passwords, users must possess an SSH client that uses an encrypted connection.
  • Disable FTP/TCP/IP ports except 80, 443, 21, and 22. Filter port 22 for known IP addresses. 

 

Harden PHP

PHP is a scripting language developed in 1994 that’s now used by more than 75% of sites on the web. Most CMS platforms, including Drupal, rely on it. This widespread adoption means PHP is also exploited by hackers, who can target the PHP configuration files on your web server. To protect your Drupal website, it’s necessary to harden this installation.

PHP hardening easily merits a guide all of its own. You can find many free resources to help you harden PHP yourself, such as guides you can find here. There are also extensions which work to patch PHP vulnerabilities. One of these is Suhosin, which is open source and free to download.

Delete unused databases

Keep your Drupal installation as clean as possible and avoid malware infections by removing old and unused databases. Before you start, copy your current Drupal database to a local file in case you need to roll back. Software like phpMyAdmin makes it easier to handle the administration of your database via the web.

Get started by making sure you have a recent backup of your site, and then putting your site in maintenance mode.

To enable maintenance mode for your Drupal website:
  • Log in to Drupal admin.
  • From Manage, go to Configuration, and then from Development, select Maintenance mode.
  • Tick Put site into maintenance mode.
  • In Message to display when in maintenance mode, enter a message for visitors during your updates.
  • Click Save configuration.
  • Verify your site is in maintenance mode with another browser or incognito tab.

Put the website in Maintenance mode – Drupal

Check the box Put site into maintenance mode – Drupal

To delete unused databases via phpMyAdmin:
  • Log in to phpMyAdmin.
  • Locate all databases and identify the one used in production.
  • Select and remove old and unused databases. 
 
To disable maintenance mode for your Drupal website:
  • Log in to Drupal admin.
  • From Manage, go to Configuration, and then from Development, select Maintenance mode.
  • Untick Put site into maintenance mode.
  • In Message to display when in maintenance mode, delete the message for visitors during your updates.
  • Click Save configuration.
  • Verify your site is out of maintenance mode with another browser or incognito tab.

Uncheck the box Put site into maintenance mode – Drupal

Disable the Drupal simpletest module

In order to avoid conflicts and possible security breaches remove or uninstall all unused modules from your Drupal installation, specifically the simpletest module.

Get started by making sure you have a recent backup of your site, and then putting your site in maintenance mode.

To enable maintenance mode & disable the Drupal simpletest module:
  • Log in to Drupal admin.
  • From Manage, go to Configuration, and then from Development, select Maintenance mode.
  • Tick Put site into maintenance mode.
  • In Message to display when in maintenance mode, enter a message for visitors during your updates
  • Click Save configuration.
  • Verify your site is in maintenance mode with another browser or incognito tab.
  • From Drupal admin, click Modules, and then tick Installed Modules.
  • Tick any unnecessary modules including simpletest, and then click Uninstall

If the simpletest doesn’t appear in the modules list, you can delete it manually:

  • Use the same FTP client software as used in the installing process, with the same connection information.
  • Navigate to the Modules directory.
  • Move the simpletest module to your computer.
  • Remove the simpletest directory.
  • Check if your site is working correctly and keep the changes. 

Please keep in mind the simpletest module is removed from core in Drupal 9.

To disable maintenance mode for your Drupal website:
  • Log in to Drupal admin.
  • From Manage, go to Configuration, and then from Development, select Maintenance mode.
  • Untick Put site into maintenance mode.
  • In Message to display when in maintenance mode, delete the message for visitors during your updates.
  • Click Save configuration.
  • Verify your site is out of maintenance mode with another browser or incognito tab. 

Drupal security apps & services

Now that you’re closer to learning how to secure a Drupal website, let’s talk about some of the security apps and services that can make your life easier. We offer everything you need, but encourage you to shop around to ensure the right fit for your situation.

Drupal Web Application Firewall (WAF)

Sucuri’s team of security researchers keep the Drupal WAF updated with the latest threat signatures targeting Drupal. Those get blocked, while our Anycast CDN ensures greater site availability and load times that are 60% faster, on average. You can try our Drupal WAF free for 30 days.

Drupal Security Platform

Our Website Security Platform includes multiple components (including the Drupal WAF) which work in sync for complete monitoring and detection, protection, and response.

Drupal SSL certificates

An SSL certificate verifies that data transmitted to and from your website is encrypted by a secure sockets layer (SSL). While it doesn’t secure the site itself, it’s essential for protecting your visitors. In fact, it’s typically required for ecommerce merchants and other websites that store sensitive data, and search engines will even boost rankings for sites with an SSL.

What if your Drupal site gets hacked?

Has your Drupal website been hacked? If so, check out our guide How to Clean a Hacked Drupal Site or reach out to our Malware Removal team. Our professional Security Analysts are available 24/7/365.

Need help blocking attackers?

Our Website Application Firewall (WAF) stops bad actors, speeds up load times, and increases your website availability.

Drupal Security FAQ

  • Is Drupal secure?

    While there isn’t a website platform that’s inherently secure, it’s safe to consider Drupal secure compared with the most popular CMS options today. It’s been available long enough to have been thoroughly vetted, and it’s compatible with today’s most effective security strategies.

  • What is a Drupal Vulnerability?

    It’s a security weakness unique to Drupal, compared with vulnerabilities specific to another CMS or those that apply to websites in general. For example, Drupal’s use of PHP and its open-source development create more specific opportunities for hackers, compared with attacking websites and users in a broader fashion with lower chances of success.

  • What is a Drupal security module?

    It’s an application developed apart from Drupal’s core files, and then added to the CMS for a specific function like ecommerce or SEO. While modules immensely expand the capability of a Drupal website, they also include their own vulnerabilities that website owners should take care to address.

Ready to install a WAF?

Sucuri Resource Library

Say on top emerging website security threats with our helpful guides, email, courses, and blog content.

Webinar

Learn how to identify issues if you suspect your WordPress site has been hacked.

Email Course

Join our email series as we offer actionable steps and basic security techniques for WordPress site owners.

Report

Based on our data, the three most commonly infected CMS platforms were WordPress, Joomla! and Magento.