I'm a woman of my word, as you can see: here I am now, as promised in my previous post on the most effective ways to secure a Drupal website, ready to run a “magnifying glass” over the best Drupal security modules. To pinpoint their main characteristics and most powerful features and thus to reveal why they've made it to this list.
And why you should put them at the top of your own Drupal security checklist.
So, shall we dig in?
It's only but predictable that since the login page/form is the entry to your Drupal site, it is also the most vulnerable page there, as well.
Therefore, secure it!
In this respect, what this module enables site admins to do is :
- define a certain number of login attempts; too many invalid authentication attempts will automatically block that account
- block/limit access for specific IPs
Moreover, you get notified by email or via Nagios notifications when someone is just username/password guessing or using other kinds of brute force techniques to log into your Drupal site.
In short: the Login Security module, through its variety of options that it “spoils” you with, empowers you to set up a custom login policy on your site. To define your own restrictions and exceptions.
As already mentioned here, on this blog, when we've tackled the topic of Drupal security:
Keeping your Drupal core updated is that easily underrated, yet most powerful security measure that you could implement!
Now what this module here does is assisting you in keeping your Drupal codebase up to date: safely patched and having all the crucial upgrades.
And I don't need to remind you the security risk(s) that all those site owners ignoring the latest patches to Drupal core expose their websites to, right?
Captcha is one of the best Drupal security modules since it's one of the most used ones.
And no wonder: could you imagine submission forms on your website with no Captcha? The age-old system is one of the handiest ways to keep spammers and spambots away.
So, having this module “plugged in”, providing you with the needed captcha support, becomes wisely convenient.
The module enables you, as your Drupal site's admin, to define specific rules for “wannabe users” to follow when they set up their account passwords.
From constraints related to:
- special symbols that those passwords should include, to ramp up both the given account's and your own site's security
- to uppercase letters
- to numbers...
… once you plug in this Drupal security module in, it's you who gets to set up the policy for creating account passwords.
5. Security Review, One of the Best Drupal Security Modules
The Security Review module is that “Swiss knife” that you need for hardening your site's shield.
Meaning that it's an all-in-one tool. One that comes with its own Drupal security checklist that it regularly goes through and sets against your website, detecting any missing or improperly implemented security measures.
Moreover, it automates a whole series of tests for tracking down any signs of exploits and brute-force attacks:
- arbitrary PHP execution
- XSS exploits
- SQL injection
Once it identifies the vulnerabilities, it “alerts” you and gives you the best recommendations for mitigating those security risks. All you need to do is follow the suggestions.
6. Security Kit
Another module that “empowers” you to take full control over the security strategy on your Drupal site. To set up specific options for minimizing the chances of exploitable “cracks” showing up in its security shield:
For instance, it could recommend you to set up HTTP headers on your Drupal site.
Here's another one of those best Drupal security modules that's also one of the widely used ones.
Why is it a must-have on your own Drupal site? Because it enables you to set a limit to the number of simultaneous sessions per user, per role.
This way, you trim down the chances of suspicious activity being carried out on your site and eventually leading to brute-force attacks.
Another module that's a must on your Drupal site:
It basically enables you, the site admin, to define a policy that would log out users after a specified time period of inactivity.
LinkedIn, Google, Twitter, Instagram, Facebook are just some of the big names that have adopted this user authentication method for security reasons. So, why shouldn't you, too?
Especially when you have a dedicated module at hand, Two Factor Authentication, to:
- provide you with various methods to select from: pre-generated codes, time-based one-time PINS or passwords, codes sent via SMS etc.
- give you full freedom in defining that two-factor authentication strategy that suits your site best
The principle is as simple for the user, as it is effective for your website, from a security standpoint:
The user gets a security code that he/she'll then need to use for logging into your Drupal site.
A command-line tool, with IDE support, that gives your codebase a deep scan and detects any drift from the coding standards and best practices.
Why has it made it to this exclusive list of 15 best Drupal security modules? Cause vulnerabilities might be lurking right in your Drupal code, not necessarily in your users' weak passwords or unpatched core modules.
Having a tool at hand that would identify and notify you of all those weak links in your code, where the best practices aren't being followed, is just... convenience at its best.
Another key module to add to your Drupal security checklist.
For you do agree that email addresses are some of hackers' easiest ways to infiltrate into your website, don't you?
Now what this module here does is obfuscate email addresses so that spambots can't collect them.
“A set of APIs” This is how we could define this module here, which doesn't come with its own UI.
Its key role? To enable other Drupal modules on your website to set up a list of users that would get selective access to specific nodes on your site.
Why is Paranoia one of the best Drupal security modules?
Because it will end your “paranoia” — as its name suggests — that an ill-intentioned user might evaluate arbitrary code on your site.
The module practically identifies all those vulnerable areas where a potential attacker could exploit your site's code and blocks them.
14. Content Access
Limiting or blocking access to key content types on your site is no more than a common-sense security measure to take, don't you agree?
Therefore, this module here's designed to assist you throughout this process:
- as you define detailed permissions on your site: to view/edit/ delete specific content types
- … by user role and by author
Word of caution: do keep in mind that, since Content Access uses Drupal's node API, you shouldn't enable other modules using the same endpoints on your website!
A module that ramps up not just your site's security, but also its accessibility.
Just think about it:
Nowadays anyone has at least one Google account. Therefore, “anyone” can easily log into your website using his/her own Google account credentials.
Once, of course, you will have installed and turned this Drupal module on.
END of the list! These are the 15 best Drupal security modules worth installing on your site.
Scan them through, weigh their key features, set them against your site's specific security needs, and make your selection!