You have patched your Drupal website, haven't you? If so, then that critical 3-month-old security flaw, Drupalgeddon2, can't get exploited on your site. Even so, with the menace of a cryptocurrency mining attack still lurking around the unpatched websites, you legitimately ask yourself: what are some quick and easy ways to secure Drupal?
“Which are the most basic steps to take and the simplest best practices to adopt to harden my Drupal site's security myself?”
Now, using keywords such as “security measures”, “quick”, “easy” and “handy”, I've come up with a list of 7 basic steps that any Drupal site owner can (and should) take for locking down his/her website.
Here they are, in no particular order:
1. Keep Your Drupal Core and Modules Updated
Not only is this one of the simplest ways to secure Drupal, but one of the most effective ones, as well.
Even so more now, with the Drupalgeddon2 Drupal security threat still fresh in our memory, ignoring the regularly released security updates for both Drupal core and its modules is just plain recklessness or... self-sabotage.
Keep your Drupal version updated: apply security patches as soon as they get released, avoiding to leave your site exposed and exploitable. As simple as that!
And where do you add that this is one of those Drupal security best practices that's the easiest to integrate into your routine. Since to run the latest updates you only need to:
- sign in to your Admin panel
- go to “Manage”
- scroll down to “Reports” → “Available Reports”
- click on “Check manually”
- if there are any critical security updates that you're advised to run, just click “Update”
This is all it takes for you to:
- seal any security loopholes in your Drupal core
- prevent any identified vulnerability from growing into a conveniently easy to access backdoor for hackers to get in
2. Install Drupal Security Modules
Strengthening the shield around your Drupal site with some powerful Drupal security modules is another both handy and effective measure that you, yourself, can easily implement.
Luckily, you're definitely not out of options when it comes to good security modules in Drupal.
And I'm only going to run a short module inventory here, since I'm already preparing a blog post focused precisely on this topic. Therefore, I promise to delve deep into details about each one of the here-listed modules in my next post:
- Secure Login
- The Security Review (Drupal 7 only)
- Two-factor Authentication
- Content Access
- Security Kit
- Password Policy
- Automated Logout
- Password Strength
Downloading, installing security modules on your Drupal site is both:
- quick and simple to do
- highly effective
And they serve a wide range of purposes, from:
- enforcing strong password policies
- to monitoring DNS changes
- to locking down your site from security threats
- to blocking malicious networks
- to turning on a firewall on your site
As for their selection, it depends greatly on your list of priorities when it comes to improving your site's security. Take some time to weigh and to compare their features.
3. Remove Unused Modules: One of the Easiest Ways to Secure Drupal
Being the “easiest” security measure to implement doesn't make it also “the most popular” among Drupal site owners.
Owners who more often than not:
- underrate the importance of running a regular module usage audit on their sites
- ignore the Drupal security threat that an outdated piece of code (or an unused module) could turn itself into, once exploited by an attacker
So, don't be one of those site owners! Are there modules on your site that you no longer use?
That have grown outdated and that are just... lingering there, using your site's resources and risking to grow into an exploitable backdoor for hackers?
Identify them and remove them! It won't take more than just a few priceless minutes of your time.
4. Enforce a Strong Password Policy
Since it's not just the admin (you do have a smart username and password for logging into your admin dashboard, don't you?) that will log into your Drupal site, but users, too, implementing some strong user-side security measures is a must.
In this respect, creating a strong password policy — one that would enforce the creation of complex, “hard-nut-to-crack” type of login credentials — is one the best and the easiest ways to secure Drupal on the user's side.
Come up with a policy that defines specific requirements for setting up passwords of high enough entropy (letters, uppercase/lowercase, symbols, different characters combos).
And don't hesitate to rely on dedicated Drupal modules for enforcing those requirements defined in your policy:
5. Block Access to All Your Sensitive Files
I bet you don't want important folders, core files — upgrade.php., install.php, authorize.php, cron.php — to be easily accessible to just... anyone, right?
So, how about limiting or blocking access to them?
And you can easily do that by configuring your .htaccess file — it's the one containing details of crucial importance regarding your website access and credentials to specific parts and core files on your site:
Just specify the IP addresses allowed to access those core folders, files and subdomains.
Here's one “enlightening” example:
<FilesMatch "(authorize|cron|install|upgrade)\.php"> Order deny, allow deny from all Allow from 127.0.0.1 </FilesMatch>
Now speaking of limiting access, don't limit your restrictions to your core folders and files. Remember to restrict/block access to your web server, to your server login details, as well.
How? By adding a basic layer of authentication limiting server access and file access usage.
Also, do remember to cautiously manage access to certain port numbers that your site/app might be using.
6. Back Up, Back Up, then... Back Up Some More
You can't anticipate brute-force attacks, but you sure can “land back on your feet” if the worst scenario ever happens.
And you can only do that if you have a clean and recent backup at hand to just rollback and restore your website.
In other words: back up regularly!
And remember to always back up your files and MySQL database before any update that you run on your Drupal code and modules. It is one of those common sense Drupal security best practices that should be included in any basic security checklist!
Where do you add that you even have a dedicated Drupal module — Backup and Migrate — to assist you with this process.
Some of the back up “burdens” that this module will take off your shoulders are:
- backing up/restoring code and multiple MySQL databases
- integrating Drush
- backing up files directory
- setting up several backup schedules
- AES encryption for backups
7. Review All User Roles and Grant the Minimum Permissions Necessary
How many user roles are there assigned on your Drupal site?
If you don't quite know the answer, then it's obvious:
You must give your entire user role system an audit!
And to stick to this habit, one of the simplest ways to secure Drupal, after all.
Review all the user roles and, most of all, review each one's set of permissions and make sure you trim them down to the minimum necessary for each role.
This way, you'll also limit access to critical files for those users that shouldn't have the permission to download or visualize them.
And speaking of permission, do keep in mind to review all your file permissions, as well!
See which user roles are granted permission to access key directories or to read, write or modify certain files on your website and block/restrict access where necessary.
The END! Of course, this isn't even close to a complete list of ways to secure Drupal. If it had been an exhaustive one, it would have continued with more Drupal security best practices, such as:
- getting the SSL Certificate
- securing HTTP headers
- using secure connections only
Etc. etc. I've only focused on some of the easiest and quickest measures that anyone, with little, close to no technical know-how at all, can implement. And I feel like stressing out the term “practice” here:
Securing your Drupal site is a constant process; a series of persistent efforts and not a one time thing. Remain vigillant and cautious and don't rely on just a one-time, multifaceted security hardening “marathon”.