In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Healthcare, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

What Are Some Quick and Easy Ways to Secure Drupal? 7-Step Security Checklist
Drupal
Drupal 8
Tips

What Are Some Quick and Easy Ways to Secure Drupal? 7-Step Security Checklist

by Adriana Cacoveanu on Jun 28 2018

You have patched your Drupal website, haven't you? If so, then that critical 3-month-old security flaw, Drupalgeddon2, can't get exploited on your site. Even so, with the menace of a cryptocurrency mining attack still lurking around the unpatched websites, you legitimately ask yourself: what are some quick and easy ways to secure Drupal?

“Which are the most basic steps to take and the simplest best practices to adopt to harden my Drupal site's security myself?”

Now, using keywords such as “security measures”, “quick”, “easy” and “handy”, I've come up with a list of 7 basic steps that any Drupal site owner can (and should) take for locking down his/her website.

Here they are, in no particular order:

 

1. Keep Your Drupal Core and Modules Updated 

Not only is this one of the simplest ways to secure Drupal, but one of the most effective ones, as well.

Even so more now, with the Drupalgeddon2 Drupal security threat still fresh in our memory, ignoring the regularly released security updates for both Drupal core and its modules is just plain recklessness or... self-sabotage.

Keep your Drupal version updated: apply security patches as soon as they get released, avoiding to leave your site exposed and exploitable. As simple as that!

And where do you add that this is one of those Drupal security best practices that's the easiest to integrate into your routine. Since to run the latest updates you only need to:

 

  • sign in to your Admin panel
  • go to “Manage” 
  • scroll down to “Reports”“Available Reports”
  • click on “Check manually”
  • if there are any critical security updates that you're advised to run, just click “Update”

     

This is all it takes for you to:

  1. seal any security loopholes in your Drupal core
  2. prevent any identified vulnerability from growing into a conveniently easy to access backdoor for hackers to get in

     

2. Install Drupal Security Modules 

Strengthening the shield around your Drupal site with some powerful Drupal security modules is another both handy and effective measure that you, yourself, can easily implement.

Luckily, you're definitely not out of options when it comes to good security modules in Drupal.

And I'm only going to run a short module inventory here, since I'm already preparing a blog post focused precisely on this topic. Therefore, I promise to delve deep into details about each one of the here-listed modules in my next post:

 

Downloading, installing security modules on your Drupal site is both:

 

  • quick and simple to do
  • highly effective 

     

And they serve a wide range of purposes, from:

 

  • enforcing strong password policies
  • to monitoring DNS changes
  • to locking down your site from security threats
  • to blocking malicious networks
  • to turning on a firewall on your site

     

As for their selection, it depends greatly on your list of priorities when it comes to improving your site's security. Take some time to weigh and to compare their features.

 

3. Remove Unused Modules: One of the Easiest Ways to Secure Drupal 

Being the “easiest” security measure to implement doesn't make it also “the most popular” among Drupal site owners.

Owners who more often than not:

 

  • underrate the importance of running a regular module usage audit on their sites
  • ignore the Drupal security threat that an outdated piece of code (or an unused module) could turn itself into, once exploited by an attacker

     

So, don't be one of those site owners! Are there modules on your site that you no longer use? 

That have grown outdated and that are just... lingering there, using your site's resources and risking to grow into an exploitable backdoor for hackers?

Identify them and remove them! It won't take more than just a few priceless minutes of your time.

 

4. Enforce a Strong Password Policy

Since it's not just the admin (you do have a smart username and password for logging into your admin dashboard, don't you?) that will log into your Drupal site, but users, too, implementing some strong user-side security measures is a must.

In this respect, creating a strong password policy — one that would enforce the creation of complex, “hard-nut-to-crack” type of login credentials — is one the best and the easiest ways to secure Drupal on the user's side.

Come up with a policy that defines specific requirements for setting up passwords of high enough entropy (letters, uppercase/lowercase, symbols, different characters combos).

And don't hesitate to rely on dedicated Drupal modules for enforcing those requirements defined in your policy:

 

5. Block Access to All Your Sensitive Files

I bet you don't want important folders, core files — upgrade.php., install.php, authorize.php, cron.php —  to be easily accessible to just... anyone, right?

So, how about limiting or blocking access to them?

And you can easily do that by configuring your .htaccess file —  it's the one containing details of crucial importance regarding your website access and credentials to specific parts and core files on your site:

Just specify the IP addresses allowed to access those core folders, files and subdomains.

Here's one “enlightening” example:

<FilesMatch "(authorize|cron|install|upgrade)\.php">
Order deny, allow
deny from all
Allow from 127.0.0.1
</FilesMatch>

Note!

Now speaking of limiting access, don't limit your restrictions to your core folders and files. Remember to restrict/block access to your web server, to your server login details, as well.

How? By adding a basic layer of authentication limiting server access and file access usage.

Also, do remember to cautiously manage access to certain port numbers that your site/app might be using.

 

6. Back Up, Back Up, then... Back Up Some More 

You can't anticipate brute-force attacks, but you sure can “land back on your feet” if the worst scenario ever happens.

And you can only do that if you have a clean and recent backup at hand to just rollback and restore your website.

In other words: back up regularly! 

And remember to always back up your files and MySQL database before any update that you run on your Drupal code and modules. It is one of those common sense Drupal security best practices that should be included in any basic security checklist!

Where do you add that you even have a dedicated Drupal module —  Backup and Migrate — to assist you with this process.

Some of the back up “burdens” that this module will take off your shoulders are:

 

  • backing up/restoring code and multiple MySQL databases
  • integrating Drush 
  • backing up files directory
  • setting up several backup schedules
  • AES encryption for backups

7. Review All User Roles and Grant the Minimum Permissions Necessary

How many user roles are there assigned on your Drupal site?

If you don't quite know the answer, then it's obvious:

You must give your entire user role system an audit!

And to stick to this habit, one of the simplest ways to secure Drupal, after all.

Review all the user roles and, most of all, review each one's set of permissions and make sure you trim them down to the minimum necessary for each role. 

This way, you'll also limit access to critical files for those users that shouldn't have the permission to download or visualize them.

And speaking of permission, do keep in mind to review all your file permissions, as well!

See which user roles are granted permission to access key directories or to read, write or modify certain files on your website and block/restrict access where necessary.

The END! Of course, this isn't even close to a complete list of ways to secure Drupal. If it had been an exhaustive one, it would have continued with more Drupal security best practices, such as:

 

  • getting the SSL Certificate
  • securing HTTP headers
  • using secure connections only

     

Etc. etc. I've only focused on some of the easiest and quickest measures that anyone, with little, close to no technical know-how at all, can implement. And I feel like stressing out the term “practice” here:

Securing your Drupal site is a constant process; a series of persistent efforts and not a one time thing. Remain vigillant and cautious and don't rely on just a one-time, multifaceted security hardening “marathon”.

 

Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

DesignDrupalDrupal 8Web Design
What Are the Benefits of Web Accessibility for Your Business?

What Are the Benefits of Web Accessibility for Your Business?

  For people with disabilities, web accessibility is highly beneficial. They use multiple assistive technology tools that often require accessible web design and apps to function properly.  It is obvious how web accessibility benefits users with disabilities, but what about businesses? What are the advantages of building accessible sites for your company? Keep reading, and you'll discover seven key benefits of making your website ADA-compliant.    Why do companies hesitate to invest in web accessibility?   A survey of around 500 U.S. business leaders and web designers shows the main reasons behind the reluctance of some companies to make a website accessible. Most of the respondents confessed they are worried about the financial investments and potentially high costs (73.6%), while 66.9% think optimizing their sites for accessibility will require too much time.  We are here to tell you that making your website accessible for people with disabilities doesn't require too many resources, will highly benefit the user experience, and most probably keep you away from web accessibility lawsuits.    7 Benefits of Making Your Website Accessible   1. Increased traffic on your site. There's a myth regarding accessible websites that says accessibility only benefits the visitors. However, by improving the user experience and making it accessible for anyone, you plant the seeds for: Higher traffic rates on your site Better user engagement Improved search engine optimization rankings Higher conversion rate   2. Lower risk of legal complications. As legal requirements regarding web accessibility are getting tougher, optimizing your site for people with disabilities becomes non-optional—unless you don't mind being prosecuted. Make sure your site meets specific accessibility guidelines and pay attention to the accessibility standards required by the industry that you're operating in.    3. Bigger customer base. Making your website accessible means addressing the needs of bigger social groups, and that, in the long term, could lead to you growing your customer base. By investing in accessible design, you can attract more visitors that are likely to engage with your brand on a long-term basis.   4.  A more innovative business mindset. Building accessible design for your website visitors challenges you to deal with unanticipated issues and thus puts your creativity at work.  The constraint of adapting your design so that it incorporates a whole set of accessibility features challenges you to... come up with innovative solutions—and to preserve that mindset for innovation in the long term. In the current dynamic digital landscape, staying creative and ready for innovation is key to keep up with the ever-changing trends.    5. Boosted SEO efforts.  You can improve your site's accessibility by adding ALT-text to images, writing clear content, or choosing a clutter-free page layout. All of these steps also mean good SEO practices.  So, by making your website more accessible, you're also making it more SEO-friendly. You probably already know the importance of investing in robust SEO strategies in today's digital landscape. It's all about how high you rank on SERPs and the level of visibility that your website is gaining.    6. Improved brand reputation.  Accessibility is also essential for your business as it helps grow your brand reputation. By ensuring your website's universal design grants equal rights and easy access to your content, you raise awareness and build a positive reputation around your business.  Today, having an inaccessible website is the digital equivalent of sticking a big KEEP OUT sign in front of your business.    7. Faster page loading time.  It has been proven that if you improve a page's level of accessibility, you boost its speed score. As modern internet users demand fast website experiences, you want to improve your page loading times to keep up with your visitors' needs. By implementing features designed for users with disabilities, you're making your site a better place for all users.    There are many ways in which you can promote accessibility on your website. For example, users that struggle with visual impairments benefit the most from screen readers to help them understand the content on a particular website. This is a way to make your website accessible for people with sight issues and offer some support in making their daily lives a bit easier.    Hopefully, this article sheds some light on the importance of web accessibility for your business and how building a universal design for your site can positively impact your brand.  For more insights on how Optasy can help you make your website more accessible, check out our Drupal Website Accessibility services.    Photo credit: Wirestock on freepik.       ... Read more
Raluca Olariu / Jul 12'2021
DrupalDrupal 8
6 Experts Talk About the Advantages of Using Drupal

6 Experts Talk About the Advantages of Using Drupal

  As the digital landscape is constantly evolving, there is an increased pressure on web content management systems (CMSs) to keep pace with the needs of the modern consumer.  To meet these complex demands that revolve around highly personalized and interactive web experiences and streamlined connectivity between devices, companies require websites that can support these goals.  One of the most powerful enterprise-level CMS platforms, Drupal, can handle more complex projects and its capabilities, as the Drupal founder, Dries Buytaert, reveals, only get better with experience.    Why is Drupal web development the right choice?   There are multiple competitive advantages that organizations can reap from using Drupal to handle their online presence. How do you know if Drupal is the right choice for your next web development project? Check out this list of key features and capabilities that Drupal offers and see how they can fit in with your needs and demands.   Are you looking to highly customize your website and content? Drupal's widely-known customizing power allows you to adjust and edit over 16,000 plug-ins and modules. If you need a CMS that can support your web development projects by implementing additional custom features like CRM, security, or SEO, with a focus on customizability, then Drupal might be the best fit.   What do the experts say? Nick Wilde, a Full-stack developer (including DevOps) at North Studios, thoroughly recommends Drupal for companies looking to change and customize their digital approaches:  "I love a *lot* of the changes in Drupal 8 compared to 7 or 6, but most of them didn't really change the way I worked. I mean, sure, using slightly different hooks etc. - but that's not really any different than integrating with different modules to my mind at least. What really did change my way of working was the Configuration Management Initiative's work, and by changed I mean massively improved. Yes, some degree of custom integration is possible with Drupal 7 with hook_update_N() and/or the features module, but in Drupal 8, a solid reproducible, testable CI and deployment process is not just possible but easy. (Yes, I'm a smidge of a fanatic about DevOps and process, despite being primarily a developer). When doing complex back-end work, moving to an Object Oriented system has felt like coming home since I started programming with Python in an OOP code-base.”   Is flexibility important for your web development project? A major selling point of Drupal lies in its rich potential to build and manage a wide range of content types, whether it is a blog post, podcast, or any other custom content types. By enabling a flexible design platform, Drupal allows users to create and manage content-rich media or eCommerce sites.    What do the experts say? Alex Moreno, a software architect, based in London, is helping big companies with their Drupal and IoT projects and has revealed how he uses Drupal's flexible core capabilities to catch up with the ever-evolving technology transformations: “Although you could flex Drupal 7 to adapt to this changing environment, the real power and flexibility comes with having a Drupal 8 architecture, where this flexibility is already in the core. That has implications for performance, adaptability, simpler architecture of services around Drupal, etc.”   Are you considering scalability as an important asset for your web project? If so, Drupal is a winning choice. When accommodating content growth becomes a challenge, Drupal steps in with its tremendously scalable capabilities and supports your growth in an effortless manner.    What do the experts say? Drupal expert, Malabya Tewari, talks about how Drupal Modules can help build a responsive design and flexible user experiences: “When I started my career with Drupal 6 briefly and then moved on to Drupal 7, I really liked the abundance of modules Drupal 7 had. ‘There is a module for that’ was a common statement while building a feature. When I transitioned to Drupal 8 and when it was in its pre-release state, there were no contributed modules. Of course, views and entity reference were in core, but it lacked the huge pool of modules that Drupal 7 had. Instead, Drupal 8 had some great flexible and robust components which mostly worked for me. Even though there was a lot of learning to do, pretty soon I got the hang of it and found out that you don't need a module for that. That's how it changed my working approach with Drupal 8 because I can build a lot of great things without any contributed module.”   Do you need greater functionality around your site's translation capabilities? Drupal 8 supports 100 different languages for translation, and these multilingual features come with the installation interfaces. That means that you can build your multilingual Drupal website easier than ever before, at no additional costs.    What do the experts say? Penyaskito is a Drupal contributor and developer at Lingotek, who manages a cloud-based translation management system for their clients. He speaks highly of Drupal's multilingual capabilities: “Thanks to the Drupal 8 Multilingual Initiative, translation is not an afterthought in Core anymore. And thanks to the clean APIs that were designed with this in mind, we are able to improve every day functionalities for our clients in our integration with Drupal 8. While with other CMS we devote time constantly to integrate with contributed modules or alike, we can focus on new functionalities as this APIs make us compatible with most contrib modules out of the box without any extra effort on our side.”   Are you interested in building a content management framework based on API architectures? Drupal's caching modules support faster page loading, optimized bandwidth, and a robust web performance to meet the needs of the modern digital consumer. Whether used for content publishing or for optimizing the user interface, Drupal's 8 API-based architecture is a top upgrade compared to previous versions.    What do the experts say? Let's see what Dries Buytaert, the father of Drupal and CTO of Acquia, has to say about Drupal's web service APIs: “You want to enable your developers to easily deliver content to different devices, channels, and platforms. This means that the content needs to be available through APIs. This is aligned with Drupal 8's roadmap, where we are focused on web services capabilities. Through Drupal's web service APIs, developers can build freely in different front-end technologies, such as Angular, React, Ember, and Swift, as well as Java and .NET. For developers, accomplishing this without the maintenance burden of a full Drupal site or the complexity of configuring standard Drupal to be decoupled is key.”   If you are not yet sure about choosing Drupal for your next web development project, we are more than happy to help you with professional advice tailored to your needs and demands. Contact us and let's start your outstanding web development project.   Here's another quote from a Drupal expert, Nick Lewis, on how Drupal 8 is influencing the way he approaches his tasks:  “Drupal 8 is looking very interesting indeed, a big leap forwards from its previous versions. I’m busy working out how to get D8 modules up and running for a client project. Well I am working on a project right now for a large global fast food outlet (here in the UK), switching from one very popular CRM system into D8 as it will cut costs tremendously and not only that, recruitment will be easier given Drupal’s wide adoption in the community.”   Photo credit: Den Harrson on Unsplash.  ... Read more
Raluca Olariu / Jul 01'2021
DrupalDrupal 8Tips
6 Secrets Behind the Best Drupal Web Development Projects

6 Secrets Behind the Best Drupal Web Development Projects

  You know a top-notch Drupal website when you see it—it has personality, it's flexible and intuitive, and it doesn't compromise on the user experience. The most successful Drupal web development projects are well planned by development teams and Drupal experts to match the needs of the existing online environment and promote a robust online presence for various companies.  Regardless of the nature of the development project, all successful Drupal websites seem to have some things in common—the secrets of web development masters that turn Drupal projects into art. This article will look at ten best practices that the most successful Drupal experts use to build highly functional and secure websites.    Secret #1 Revealed: Build a robust project plan from the get-go.   Knowing exactly where you're heading with your Drupal project can frequently make the difference between success and failure. That's why you must start by setting the organizational website requirements and creating strategies with the end-user in mind. In other words, know what's what from the beginning of your Drupal project and follow this scheme throughout your development journey. Benefit: Easier to avoid getting stuck in the complex nature of Drupal development projects.    Secret #2 Revealed: Put the user experience first.   If there's one thing you shouldn't compromise on when building a website, it's the user experience (UX). After all, the success of a website is determined by whether or not the end-user is comfortable with the site's functionality and UX. The secret here lies in empowering the user with a satisfactory level of control so that it can fully enjoy and immerse into the content of your website.  Benefit: Boost your audience's engagement and generate more visitors.    Secret #3 Revealed: Choose a reliable, secure web hosting service.   The digital environment means connection, and that's what a web hosting service can offer to you—it allows all your site content to be seen anywhere at any time. When choosing a web hosting partner, pay attention to elements like loading speed, uptime score, and the cost-performance index. Benefit: Improved site performance and security.    Secret #4 Revealed: Make the most out of Drupal modules.    A successful Drupal web development project lies on a foundation of highly customized and optimized modules. To maximize the potential offered by Drupal modules, consider what needs you may be able to address by installing a specific module and how it can shape certain functionalities and content sharing capabilities on your website.  Benefit: From flexibility to time efficiency, modular development meets a wide range of demands in your Drupal projects.   Secret #5 Revealed: Work on your project step by step.   It is widely known that Drupal web development can be pretty complex, and that's why many companies choose a Drupal development agency or outsource their companies to other experts. But if you wish to do it yourself, make sure you set realistic milestones. The lack of project leadership can be a confidence killer for even the most experienced developers and may cause your Drupal development environment to become a highly unproductive one.  Benefit: Boost productivity and confidence amongst developer teams.   Secret #6 Revealed: Build solid brand identity.   Part of what makes the user experience a great one is the ability to make the user comfortable. Solid UX/UI design relies on consistency, bringing comfort to the visitor as it makes him feel in control and know what to expect. If you want to position yourself as a trustful brand with a robust online presence, create a style guide with basic typography and a color palette. Also, don't be afraid to introduce new design elements from time to time to spice things up a bit and re-engage your audience.  Benefit: Attract and retain more customers.    Content management systems like Drupal provide multiple benefits, but Drupal projects can also be hard to handle—if you want to build highly successful websites. With these six best practices at your fingertips, you can manage and optimize your Drupal project more quickly and efficiently.  If you find that you can't reasonably handle Drupal's complexity and want to make more of its performance-enhancing capabilities, let us take care of your project. At Optasy, we put all the six best practices outlined in this article at work and more. See how we can revolutionize your Drupal web development project,    Photo credit: Ben Kolde on Unsplash.     ... Read more
Raluca Olariu / Jun 02'2021

Need a new Project?

Dare us to shape and boost your idea(s)!

Start a Project

(416) 243-2431

Contact

(416) 243-2431

Toronto Downtown

First Canadian Place,
100 King St. W. Suite 5700, Toronto

Toronto West

2275 Upper Middle
Rd. E, Suite 101
Toronto

New York

1177 Avenue of the
Americas, 5th Floor,
New York