In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Healthcare, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

What Are Some Quick and Easy Ways to Secure Drupal? 7-Step Security Checklist
Drupal
Drupal 8
Tips

What Are Some Quick and Easy Ways to Secure Drupal? 7-Step Security Checklist

by Adriana Cacoveanu on Jun 28 2018

You have patched your Drupal website, haven't you? If so, then that critical 3-month-old security flaw, Drupalgeddon2, can't get exploited on your site. Even so, with the menace of a cryptocurrency mining attack still lurking around the unpatched websites, you legitimately ask yourself: what are some quick and easy ways to secure Drupal?

“Which are the most basic steps to take and the simplest best practices to adopt to harden my Drupal site's security myself?”

Now, using keywords such as “security measures”, “quick”, “easy” and “handy”, I've come up with a list of 7 basic steps that any Drupal site owner can (and should) take for locking down his/her website.

Here they are, in no particular order:

 

1. Keep Your Drupal Core and Modules Updated 

Not only is this one of the simplest ways to secure Drupal, but one of the most effective ones, as well.

Even so more now, with the Drupalgeddon2 Drupal security threat still fresh in our memory, ignoring the regularly released security updates for both Drupal core and its modules is just plain recklessness or... self-sabotage.

Keep your Drupal version updated: apply security patches as soon as they get released, avoiding to leave your site exposed and exploitable. As simple as that!

And where do you add that this is one of those Drupal security best practices that's the easiest to integrate into your routine. Since to run the latest updates you only need to:

 

  • sign in to your Admin panel
  • go to “Manage” 
  • scroll down to “Reports”“Available Reports”
  • click on “Check manually”
  • if there are any critical security updates that you're advised to run, just click “Update”

     

This is all it takes for you to:

  1. seal any security loopholes in your Drupal core
  2. prevent any identified vulnerability from growing into a conveniently easy to access backdoor for hackers to get in

     

2. Install Drupal Security Modules 

Strengthening the shield around your Drupal site with some powerful Drupal security modules is another both handy and effective measure that you, yourself, can easily implement.

Luckily, you're definitely not out of options when it comes to good security modules in Drupal.

And I'm only going to run a short module inventory here, since I'm already preparing a blog post focused precisely on this topic. Therefore, I promise to delve deep into details about each one of the here-listed modules in my next post:

 

Downloading, installing security modules on your Drupal site is both:

 

  • quick and simple to do
  • highly effective 

     

And they serve a wide range of purposes, from:

 

  • enforcing strong password policies
  • to monitoring DNS changes
  • to locking down your site from security threats
  • to blocking malicious networks
  • to turning on a firewall on your site

     

As for their selection, it depends greatly on your list of priorities when it comes to improving your site's security. Take some time to weigh and to compare their features.

 

3. Remove Unused Modules: One of the Easiest Ways to Secure Drupal 

Being the “easiest” security measure to implement doesn't make it also “the most popular” among Drupal site owners.

Owners who more often than not:

 

  • underrate the importance of running a regular module usage audit on their sites
  • ignore the Drupal security threat that an outdated piece of code (or an unused module) could turn itself into, once exploited by an attacker

     

So, don't be one of those site owners! Are there modules on your site that you no longer use? 

That have grown outdated and that are just... lingering there, using your site's resources and risking to grow into an exploitable backdoor for hackers?

Identify them and remove them! It won't take more than just a few priceless minutes of your time.

 

4. Enforce a Strong Password Policy

Since it's not just the admin (you do have a smart username and password for logging into your admin dashboard, don't you?) that will log into your Drupal site, but users, too, implementing some strong user-side security measures is a must.

In this respect, creating a strong password policy — one that would enforce the creation of complex, “hard-nut-to-crack” type of login credentials — is one the best and the easiest ways to secure Drupal on the user's side.

Come up with a policy that defines specific requirements for setting up passwords of high enough entropy (letters, uppercase/lowercase, symbols, different characters combos).

And don't hesitate to rely on dedicated Drupal modules for enforcing those requirements defined in your policy:

 

5. Block Access to All Your Sensitive Files

I bet you don't want important folders, core files — upgrade.php., install.php, authorize.php, cron.php —  to be easily accessible to just... anyone, right?

So, how about limiting or blocking access to them?

And you can easily do that by configuring your .htaccess file —  it's the one containing details of crucial importance regarding your website access and credentials to specific parts and core files on your site:

Just specify the IP addresses allowed to access those core folders, files and subdomains.

Here's one “enlightening” example:

<FilesMatch "(authorize|cron|install|upgrade)\.php">
Order deny, allow
deny from all
Allow from 127.0.0.1
</FilesMatch>

Note!

Now speaking of limiting access, don't limit your restrictions to your core folders and files. Remember to restrict/block access to your web server, to your server login details, as well.

How? By adding a basic layer of authentication limiting server access and file access usage.

Also, do remember to cautiously manage access to certain port numbers that your site/app might be using.

 

6. Back Up, Back Up, then... Back Up Some More 

You can't anticipate brute-force attacks, but you sure can “land back on your feet” if the worst scenario ever happens.

And you can only do that if you have a clean and recent backup at hand to just rollback and restore your website.

In other words: back up regularly! 

And remember to always back up your files and MySQL database before any update that you run on your Drupal code and modules. It is one of those common sense Drupal security best practices that should be included in any basic security checklist!

Where do you add that you even have a dedicated Drupal module —  Backup and Migrate — to assist you with this process.

Some of the back up “burdens” that this module will take off your shoulders are:

 

  • backing up/restoring code and multiple MySQL databases
  • integrating Drush 
  • backing up files directory
  • setting up several backup schedules
  • AES encryption for backups

7. Review All User Roles and Grant the Minimum Permissions Necessary

How many user roles are there assigned on your Drupal site?

If you don't quite know the answer, then it's obvious:

You must give your entire user role system an audit!

And to stick to this habit, one of the simplest ways to secure Drupal, after all.

Review all the user roles and, most of all, review each one's set of permissions and make sure you trim them down to the minimum necessary for each role. 

This way, you'll also limit access to critical files for those users that shouldn't have the permission to download or visualize them.

And speaking of permission, do keep in mind to review all your file permissions, as well!

See which user roles are granted permission to access key directories or to read, write or modify certain files on your website and block/restrict access where necessary.

The END! Of course, this isn't even close to a complete list of ways to secure Drupal. If it had been an exhaustive one, it would have continued with more Drupal security best practices, such as:

 

  • getting the SSL Certificate
  • securing HTTP headers
  • using secure connections only

     

Etc. etc. I've only focused on some of the easiest and quickest measures that anyone, with little, close to no technical know-how at all, can implement. And I feel like stressing out the term “practice” here:

Securing your Drupal site is a constant process; a series of persistent efforts and not a one time thing. Remain vigillant and cautious and don't rely on just a one-time, multifaceted security hardening “marathon”.

 

Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

Drupal
Drupal Migration Services

Drupal Migration Services

  Drupal is a popular open-source platform for content management that provides rich functionality and high customization capabilities to enhance the user experience.  Many companies are already making the switch to Drupal 8 and reaping multiple benefits for their website development processes.  Are you too considering the idea of migrating your website to Drupal? To help you better understand why you should take this step and how can Drupal maximize your website's performance, have a look at these key reasons to start your Drupal migration.   Why should you migrate to Drupal 8? The right question should be: why not? There are plenty of reasons why a Drupal migration should be the next step in your web development endeavors, such as: Drupal 8 has a mobile-first approach out-of-the-box. Unlike previous versions of Drupal, you don’t need to handle any customization for building a responsive website or application. Drupal 8 is mobile-friendly at its core. Drupal 8 provides improved front-end perceived performance. With BigPipe technology being part of Drupal 8’s core, you don’t have to worry about website performance anymore—you’ll benefit from faster loading times out-of-the-box. Drupal 8 is easier to use than previous versions. For everyone complaining about the back-end experience of managing and editing Drupal websites and custom modules, Drupal 8 was designed with these complaints in mind. Managing the content on your website is now easier with Drupal 8 thanks to new features that make editing more accessible and comfortable.  Drupal 8 provides multilingual support. In other words, you can easily create multilingual websites due to Drupal 8’s multilingual core capabilities.  Drupal 8 has enhanced security features. Drupal has been long known as one of the most secure CMS on the market and Drupal 8’s security updates are here to confirm it.  Drupal 8 is highly SEO-friendly. With Drupal's advanced SEO capabilities, your website will have better visibility and rank higher on search engines. Drupal 8 has plenty of tools for upgrading SEO, including a SEO starter kit that you can easily access and manage.    Have you decided to move your website from WordPress or Joomla to Drupal? Or maybe you are looking to upgrade Drupal 6 or 7 to Drupal 8?  If you answered ‘yes’ to either one of those questions, then a Drupal migration is the next step for you. Excellent choice! We know it wasn't easy for you to finally make this decision. We also understand that you may now face a major challenge: migrations are costly and time-consuming. There are plenty of pre-planning requirements for migrating to Drupal 8, which are often long and tedious. Outsourcing your migration projects to a third-party company that provides a reliable migration service might be the safest bet.    Drupal is a scalable and flexible solution that can be moulded into anything you need it to be. It has enterprise-level security and an innovative modular-type system. It also has a steep learning curve because of everything you can do with it. Because of this, it requires Drupal-specific developers who have to know how to use it to its full potential.    Optasy is here to make this transition smooth and time-effective by offering high-quality Drupal migration services. The goal is to have the least amount of impact on your company's daily activities as possible. Downtime = lost revenue and we don't want that to happen.  Our Drupal team of experts will handle your migration carefully to minimize downtime and maximize the power of Drupal. Sooner than you think, you’ll have your migration projects completed and your Drupal website up and running to its full potential.  To better understand the process of migrating to Drupal, have a look at the main migration workflow used by our Drupal professionals.   Steps To Migrate Your Website To Drupal Step 1: Your website will undergo rigorous analysis. Our team of Drupal experts will take a close look at your current system's database. We perform functionality tests and deeply analyze the current framework. We then come up with a customized solution specific to your company's website needs.     Step 2: Decide which modules and design theme your current website can migrate to Drupal. Then we figure out which ones we'll develop from scratch and which ones simply need an upgrade.     Step 3: Once planning and analysis are complete, the migration of your website's components begins. This includes content, your database, usernames, emails, plugins, extensions, and user groups. It also includes metadata so that you don't lose any previous SEO work completed. We handle this with the greatest caution. We secure your valuable data and make a smooth transition from one platform to another.   Step 4: Test, test, and more testing. We test until we are 100% certain that your newly-built Drupal website runs perfectly. And with significantly improved performance.     A Smooth Migration Process We guarantee you that the whole migration process will go smoothly. Our Drupal migration services won't interfere or slow down your team's workflow. It also won't cause any downtime on your website, so you won't lose out on profits.    Our confidence relies on our access to using the best tools and resources. We also apply a proven efficient methodology based on many years of experience.   The migration process of your website happens on your server and behind the curtains. This guarantees zero impact on your daily workflow. It enables you to keep making sales or getting leads while your website migrates to Drupal's platform.     Benefits Of Optasy’s Drupal Migration Services Faster website Improve performance No downtime Experienced Drupal experts Seamless data and content migration Maintain SEO work previously completed     Upgrade To Drupal 8 Upgrading to the new Drupal 8 will make your website work (and look great) on any device to meet the needs of your diverse audience.    Some other key benefits of making the switch to Drupal 8 are:   Mobile-first ready. This version of Drupal has been designed to embrace the shift towards mobile. Fully responsive web design right out-of-the-box. Multilingual features. The platform is built to support any language. Mobile-friendly admin features. Now you can see everything right on your phone. Supports mobile app development. Easier to add content more than ever before. Flexible content delivery. This enables you to create and deliver content to any channel, device, or application.   Your migration to Drupal doesn’t have to be complicated. With the right Drupal migration services and support from a professional Drupal team, you can enhance your web development projects to deliver optimized, accessible, and intuitive user experiences.  “Although you could flex Drupal 7 to adapt to this changing environment, the real power and flexibility comes with having a Drupal 8 architecture where this flexibility is already in the core. That has implications for performance, adaptability, simpler architecture of services around Drupal, etc.” - Alex Moreno, Drupal software architect.      ... Read more
Adrian Ababei / Aug 12'2021
DrupalDrupal 8
Is Drupal Good for eCommerce? 11 Excellent Reasons Why You’d Choose It over Another Platform

Is Drupal Good for eCommerce? 11 Excellent Reasons Why You’d Choose It over Another Platform

    "... wanna run eCommerce on Drupal 8 but don't know if it's a good idea."   But is Drupal good for eCommerce?    And, most of all: Is it better suited for your own online business needs and feature requirements than other eCommerce platforms out there? Some legitimate questions you're struggling with there… To give you a hand, here's a list of 11 excellent reasons why you'd lean towards Drupal eCommerce solutions for building your e-commerce site.    Reason #1: You're in Full Control of the Source Code to Make Any Changes You Want In other words, you don't need to convince the vendor first that the changes you need to make are beneficial for him/her. You're free to extend Drupal eCommerce platform's core functionality, to adapt, and extend its code till it meets your needs entirely.    … till it integrates perfectly into that specific software that you use.   Which is not the case when you go for a commercial solution: you're not granted access to the core code for any custom software development work that you might need to make. Of course, this "reason" becomes a really strong selling point only if/when: you have non-standard business requirements it's a large, complex eCommerce website that you're building Reason #2: Your eStore Grows With Drupal  Drupal scales with your business... effectively.   And by that I mean that it's designed to keep the resources and the time required to handle your online store's growth at a minimum.   Being: flexible by nature (its open-source nature) powered by the API-first initiative … Drupal eCommerce solutions make the best choice if "scalability" is on top of your list of requirements.   Reason #3: You Get to Reach Out to Your Customers Across Multiple Channels  "Is Drupal good for eCommerce?"   It becomes the perfect option for your own eCommerce website if you're planning to reach out to your customers across an entire network of sales channels, thus boosting your digital marketing efforts.  Let's say you have your main/central eCommerce website and you need to pull content from there and to distribute it across a whole ecosystem of channels — eCommerce apps, digital kiosks, conversational interfaces — and devices. Then, the API-first initiative allows you to tap into a headless commerce Drupal architecture and: use Drupal as a back-end content repository configure your content to fit all types of formats and reuse it whenever (and wherever) needed increase your outreach incorporate business automation into your development team's workflow: help them work smart and achieve more Reason #4: You Get to Deliver Content-Driven eCommerce Experiences With Drupal, you get the best of both worlds:   an eCommerce platform (by integrating one of its specialized eCommerce modules into the content management system) a content platform   And this is what makes it ideal for: tapping into the experience-led eCommerce model getting the most out of your content marketing efforts (think blog posts, effectively interconnected product pages, user guides, etc.) Reason #5: You're Free to Integrate Any Third-Party Service into Your Online Store From: marketing platforms to analytics services to payment gateways of your choice (there are 80+ payment options available with Drupal Commerce) to third-party add-ons that would automate your team's tasks and boost their productivity (while boosting online sales, as well) … Drupal &amp; its eCommerce component accommodates any type of integrations you need to make.   Reason #6: "Is Drupal Good for eCommerce?" It Is for Delivering High-Speed eCommerce Experiences Just think… real-time shopping cart updates.  Or pretty much any action that your customers would need to carry out on your eCommerce site, then turbocharge it with top speed. A decoupled Drupal Commerce setup (add the JavaScript framework of your choice here) enables you to deliver such type of dynamic user experiences.    Reason #7: You Have No Limits to How Much You Can Extend Your Drupal 8 eCommerce Website Drupal Commerce can grow as much as your business needs. Whether you need to integrate: a whole network of third-party systems a whole lot of contributed modules an eCommerce Drupal distribution (a bundle of multiple modules) a Drupal eCommerce theme  … and extend your eCommerce store's functionality, there's no limit to what you can incorporate into your Drupal eCommerce website.   Reason #9:  You Benefit from an Extremely Configurable eCommerce Solution "Whereas eCommerce solutions are often developed with an application mindset, highlighting what you can do with it out of the box, Drupal eCommerce solutions were developed with a framework mindset, focusing on what you can build with them." (Source: Drupal.org)   Basically, you're free to customize every little piece of your Drupal 8 eCommerce site, till it: delivers that unique shopping experience you want it to meets all your ultra-personalized requirements: to trigger certain actions based on user input, to display multiple tax rates, to have an out-of-the-ordinary checkout flow, etc. Here, it's up to you and it depends on what you need to build: Are you looking for a cookie-cutter eCommerce solution, that would help you get a generic webshop up and running in no time? Or do you want unlimited customization freedom, that comes at the cost of…  investing more time in writing custom code?   Reason #10: You're Free to Sell Both Physical and Digital Goods And that thanks to Drupal Commerce's flexibility:   It provides you with the functionality you need to start building your product catalog and selling your digital products — subscriptions, tickets, online courses, etc. — on your online store. A key aspect to consider when comparing the features of your best options in terms of eCommerce platforms in 2020.   Reason #11: You Can Make the Most of the Granular and Differential Access to Content Drupal allows you to define different roles for your team members and to assign several levels of permission to each role. Not everyone would then be authorized to edit content, add products, manage orders, publish content, etc. This way you get to: set up a convenient hierarchy harden your online store's security  So, Is Drupal Good for eCommerce? Maybe a more appropriate question would be: "Is Drupal the right solution for my eCommerce business?"  It might be... And these 11 reasons mentioned here do become the best arguments for you to choose it over another platform (Ubercart, Prestashop, Shopify…) if: it's a growing or an already established eCommerce business that you run (otherwise, all that configuration and custom work might be an overkill for a small business) you have complex feature needs for your online store: you need to integrate it with coupon rules, several backend systems, and so on Do you fit the eCommerce business owner "profile"? For we do fit the profile of that Drupal eCommerce agency and development company you're looking for, capable to tweak it till it fits your complex requirements to the slightest detail. Just challenge us and see how Drupal eCommerce solutions can accelerate business outcomes.    ... Read more
Adriana Cacoveanu / Aug 10'2021
DesignDrupalDrupal 8Web Design
What Are the Benefits of Web Accessibility for Your Business?

What Are the Benefits of Web Accessibility for Your Business?

  For people with disabilities, web accessibility is highly beneficial. They use multiple assistive technology tools that often require accessible web design and apps to function properly.  It is obvious how web accessibility benefits users with disabilities, but what about businesses? What are the advantages of building accessible sites for your company? Keep reading, and you'll discover seven key benefits of making your website ADA-compliant.    Why do companies hesitate to invest in web accessibility?   A survey of around 500 U.S. business leaders and web designers shows the main reasons behind the reluctance of some companies to make a website accessible. Most of the respondents confessed they are worried about the financial investments and potentially high costs (73.6%), while 66.9% think optimizing their sites for accessibility will require too much time.  We are here to tell you that making your website accessible for people with disabilities doesn't require too many resources, will highly benefit the user experience, and most probably keep you away from web accessibility lawsuits.    7 Benefits of Making Your Website Accessible   1. Increased traffic on your site. There's a myth regarding accessible websites that says accessibility only benefits the visitors. However, by improving the user experience and making it accessible for anyone, you plant the seeds for: Higher traffic rates on your site Better user engagement Improved search engine optimization rankings Higher conversion rate   2. Lower risk of legal complications. As legal requirements regarding web accessibility are getting tougher, optimizing your site for people with disabilities becomes non-optional—unless you don't mind being prosecuted. Make sure your site meets specific accessibility guidelines and pay attention to the accessibility standards required by the industry that you're operating in.    3. Bigger customer base. Making your website accessible means addressing the needs of bigger social groups, and that, in the long term, could lead to you growing your customer base. By investing in accessible design, you can attract more visitors that are likely to engage with your brand on a long-term basis.   4.  A more innovative business mindset. Building accessible design for your website visitors challenges you to deal with unanticipated issues and thus puts your creativity at work.  The constraint of adapting your design so that it incorporates a whole set of accessibility features challenges you to... come up with innovative solutions—and to preserve that mindset for innovation in the long term. In the current dynamic digital landscape, staying creative and ready for innovation is key to keep up with the ever-changing trends.    5. Boosted SEO efforts.  You can improve your site's accessibility by adding ALT-text to images, writing clear content, or choosing a clutter-free page layout. All of these steps also mean good SEO practices.  So, by making your website more accessible, you're also making it more SEO-friendly. You probably already know the importance of investing in robust SEO strategies in today's digital landscape. It's all about how high you rank on SERPs and the level of visibility that your website is gaining.    6. Improved brand reputation.  Accessibility is also essential for your business as it helps grow your brand reputation. By ensuring your website's universal design grants equal rights and easy access to your content, you raise awareness and build a positive reputation around your business.  Today, having an inaccessible website is the digital equivalent of sticking a big KEEP OUT sign in front of your business.    7. Faster page loading time.  It has been proven that if you improve a page's level of accessibility, you boost its speed score. As modern internet users demand fast website experiences, you want to improve your page loading times to keep up with your visitors' needs. By implementing features designed for users with disabilities, you're making your site a better place for all users.    There are many ways in which you can promote accessibility on your website. For example, users that struggle with visual impairments benefit the most from screen readers to help them understand the content on a particular website. This is a way to make your website accessible for people with sight issues and offer some support in making their daily lives a bit easier.    Hopefully, this article sheds some light on the importance of web accessibility for your business and how building a universal design for your site can positively impact your brand.  For more insights on how Optasy can help you make your website more accessible, check out our Drupal Website Accessibility services.    Photo credit: Wirestock on freepik.       ... Read more
Raluca Olariu / Jul 12'2021

Need a new Project?

Dare us to shape and boost your idea(s)!

Start a Project

(416) 243-2431

Contact

(416) 243-2431

Toronto Downtown

First Canadian Place,
100 King St. W. Suite 5700, Toronto

Toronto West

2275 Upper Middle
Rd. E, Suite 101
Toronto

New York

1177 Avenue of the
Americas, 5th Floor,
New York