In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Health Care, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

What Are Some Quick and Easy Ways to Secure Drupal? 7-Step Security Checklist

What Are Some Quick and Easy Ways to Secure Drupal? 7-Step Security Checklist

by Adriana Cacoveanu on Jun 28 2018

You have patched your Drupal website, haven't you? If so, then that critical 3-month-old security flaw, Drupalgeddon2, can't get exploited on your site. Even so, with the menace of a cryptocurrency mining attack still lurking around the unpatched websites, you legitimately ask yourself: what are some quick and easy ways to secure Drupal?

“Which are the most basic steps to take and the simplest best practices to adopt to harden my Drupal site's security myself?”

Now, using keywords such as “security measures”, “quick”, “easy” and “handy”, I've come up with a list of 7 basic steps that any Drupal site owner can (and should) take for locking down his/her website.

Here they are, in no particular order:

 

1. Keep Your Drupal Core and Modules Updated 

Not only is this one of the simplest ways to secure Drupal, but one of the most effective ones, as well.

Even so more now, with the Drupalgeddon2 Drupal security threat still fresh in our memory, ignoring the regularly released security updates for both Drupal core and its modules is just plain recklessness or... self-sabotage.

Keep your Drupal version updated: apply security patches as soon as they get released, avoiding to leave your site exposed and exploitable. As simple as that!

And where do you add that this is one of those Drupal security best practices that's the easiest to integrate into your routine. Since to run the latest updates you only need to:

 

  • sign in to your Admin panel
  • go to “Manage” 
  • scroll down to “Reports”“Available Reports”
  • click on “Check manually”
  • if there are any critical security updates that you're advised to run, just click “Update”

     

This is all it takes for you to:

  1. seal any security loopholes in your Drupal core
  2. prevent any identified vulnerability from growing into a conveniently easy to access backdoor for hackers to get in

     

2. Install Drupal Security Modules 

Strengthening the shield around your Drupal site with some powerful Drupal security modules is another both handy and effective measure that you, yourself, can easily implement.

Luckily, you're definitely not out of options when it comes to good security modules in Drupal.

And I'm only going to run a short module inventory here, since I'm already preparing a blog post focused precisely on this topic. Therefore, I promise to delve deep into details about each one of the here-listed modules in my next post:

 

Downloading, installing security modules on your Drupal site is both:

 

  • quick and simple to do
  • highly effective 

     

And they serve a wide range of purposes, from:

 

  • enforcing strong password policies
  • to monitoring DNS changes
  • to locking down your site from security threats
  • to blocking malicious networks
  • to turning on a firewall on your site

     

As for their selection, it depends greatly on your list of priorities when it comes to improving your site's security. Take some time to weigh and to compare their features.

 

3. Remove Unused Modules: One of the Easiest Ways to Secure Drupal 

Being the “easiest” security measure to implement doesn't make it also “the most popular” among Drupal site owners.

Owners who more often than not:

 

  • underrate the importance of running a regular module usage audit on their sites
  • ignore the Drupal security threat that an outdated piece of code (or an unused module) could turn itself into, once exploited by an attacker

     

So, don't be one of those site owners! Are there modules on your site that you no longer use? 

That have grown outdated and that are just... lingering there, using your site's resources and risking to grow into an exploitable backdoor for hackers?

Identify them and remove them! It won't take more than just a few priceless minutes of your time.

 

4. Enforce a Strong Password Policy

Since it's not just the admin (you do have a smart username and password for logging into your admin dashboard, don't you?) that will log into your Drupal site, but users, too, implementing some strong user-side security measures is a must.

In this respect, creating a strong password policy — one that would enforce the creation of complex, “hard-nut-to-crack” type of login credentials — is one the best and the easiest ways to secure Drupal on the user's side.

Come up with a policy that defines specific requirements for setting up passwords of high enough entropy (letters, uppercase/lowercase, symbols, different characters combos).

And don't hesitate to rely on dedicated Drupal modules for enforcing those requirements defined in your policy:

 

5. Block Access to All Your Sensitive Files

I bet you don't want important folders, core files — upgrade.php., install.php, authorize.php, cron.php —  to be easily accessible to just... anyone, right?

So, how about limiting or blocking access to them?

And you can easily do that by configuring your .htaccess file —  it's the one containing details of crucial importance regarding your website access and credentials to specific parts and core files on your site:

Just specify the IP addresses allowed to access those core folders, files and subdomains.

Here's one “enlightening” example:

<FilesMatch "(authorize|cron|install|upgrade)\.php">
Order deny, allow
deny from all
Allow from 127.0.0.1
</FilesMatch>


Note!

Now speaking of limiting access, don't limit your restrictions to your core folders and files. Remember to restrict/block access to your web server, to your server login details, as well.

How? By adding a basic layer of authentication limiting server access and file access usage.

Also, do remember to cautiously manage access to certain port numbers that your site/app might be using.

 

6. Back Up, Back Up, then... Back Up Some More 

You can't anticipate brute-force attacks, but you sure can “land back on your feet” if the worst scenario ever happens.

And you can only do that if you have a clean and recent backup at hand to just rollback and restore your website.

In other words: back up regularly! 

And remember to always back up your files and MySQL database before any update that you run on your Drupal code and modules. It is one of those common sense Drupal security best practices that should be included in any basic security checklist!

Where do you add that you even have a dedicated Drupal module —  Backup and Migrate — to assist you with this process.

Some of the back up “burdens” that this module will take off your shoulders are:

 

  • backing up/restoring code and multiple MySQL databases
  • integrating Drush 
  • backing up files directory
  • setting up several backup schedules
  • AES encryption for backups


7. Review All User Roles and Grant the Minimum Permissions Necessary

How many user roles are there assigned on your Drupal site?

If you don't quite know the answer, then it's obvious:

You must give your entire user role system an audit!

And to stick to this habit, one of the simplest ways to secure Drupal, after all.

Review all the user roles and, most of all, review each one's set of permissions and make sure you trim them down to the minimum necessary for each role. 

This way, you'll also limit access to critical files for those users that shouldn't have the permission to download or visualize them.

And speaking of permission, do keep in mind to review all your file permissions, as well!

See which user roles are granted permission to access key directories or to read, write or modify certain files on your website and block/restrict access where necessary.

The END! Of course, this isn't even close to a complete list of ways to secure Drupal. If it had been an exhaustive one, it would have continued with more Drupal security best practices, such as:

 

  • getting the SSL Certificate
  • securing HTTP headers
  • using secure connections only

     

Etc. etc. I've only focused on some of the easiest and quickest measures that anyone, with little, close to no technical know-how at all, can implement. And I feel like stressing out the term “practice” here:

Securing your Drupal site is a constant process; a series of persistent efforts and not a one time thing. Remain vigillant and cautious and don't rely on just a one-time, multifaceted security hardening “marathon”.

 

Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

What’s the Best Drupal Managed Hosting Provider? Here Are Your Top 4 Options
You want it to be easy to use, to provide you with as much automated maintenance as possible and... up to 100% uptime. So, what's the best Drupal managed hosting solution for your needs? And, let me guess: your “feature wishlist” is a bit longer actually:   autoscaling capability multi-site support: you want to be able to manage all your Drupal websites from a single dashboard CDN backups and easy restores on a daily basis support for migration Given your list of requirements, what are your best choices here? I've done my research and narrowed down your options to 4. 4 fully managed hosting solutions for Drupal that you should consider first. Here they are:   But First: Why Managed Hosting? What Does It Really Get You? Why would you want to go for a fully managed hosting solution for your Drupal website(s) instead of a... self-managed one? Because:   you gain so much time; time that you'd otherwise invest in setting the Drupal infrastructure yourself, from the ground up you avoid the risk of getting tangled up in software installation, configuration, infrastructure management (which can turn into a time and energy-consuming ordeal even if you have the know-how to set up a scalable VPS on AWS yourself) you avoid the headache of maintaining a whole infrastructure of Drupal sites you get remote administration that covers mundane, regular operations such as module updating   In short: you delegate your managed hosting provider with everything outside the codebase. Why spend time on the ongoing maintenance of your website when you can invest it in... improving it? In growing it?   1. Pantheon Drupal Hosting   Disclaimer: it's the Drupal hosting that we are using here, at OPTASY. But is Pantheon the best solution for your own use case? For your expectations of a hosting platform? It is if it's a simplified, easy to use hosting solution that you need for your Drupal website(s). One that provides you with:   great support solid tooling  almost instant patching great developer experience ease of use with Drupal high availability and scaling intuitive interface, which makes migrating and cloning your Drupal websites so much easier lots of integrations   But let's see precisely what services it provides you with.   Pantheon Drupal's Key Features   php7 Git 24/7 Drupal support  Once-click core updates  Built-in stagging environments: dev, test, live Global CDN Solr Developer dashboard   2. Acquia, One of the Best Drupal Managed Hosting Solutions   Acquia Drupal hosting is another great option to consider when you're trying to figure out which is the best service for you. Why? Because it provides you with:   some of the best tools: both powerful and easy to use enterprise-level security cloud hosting specifically tailored to suit Drupal websites unmatched scalability: Acquia Drupal 8 hosting powers some of the largest Drupal websites in the world    Acquia Drupal Hosting Key Features   Enterprise-grade security and recovery: a whole set of firewall controls and access and authentication controls; Acquia-hosted websites are known to be better equipped to recover from cyber attacks A hosting platform optimized for Drupal exclusively A turnkey solution: the built-in Node.js support enables you to develop your Drupal back-end apps, as well as your server-side rendered front-end apps, on the same hosting platform Robust development tools: APIs, integrations, and command-line tools that help you build and optimize your apps in no time Real-time monitoring, analyzing, and troubleshooting Close to 100% uptime: Drupal hosting Acquia makes the best choice for you if your uptime and performance requirements are way beyond basic Centralized dashboard for all your websites and a unique Drupal codebase Source: acquia.com   3. SiteGround Drupal Hosting Another popular hosting option for Drupal websites is Siteground, a platform robust enough to withstand the challenges of user-heavy, high traffic sites. It's also the most versatile managed hosting solution on this list, for it meets the needs of both small website owners and enterprise and large organizations. But why would you choose if over other Drupal 8 hosting services? SiteGround Drupal 8 Hosting Key Features   Daily backups 1-Click Drupal installation Responsive support from actual Drupal developers by mail, chat, helpdesk ticket Dynamic NGINX caching (available only on some of the hosting plans) Website transfer assistance with zero downtime   4. Cloudways Managed Drupal Cloud Hosting     Cloudways is not just one of your best Drupal managed to host options. It's also one of the most... different. It allows you to choose the cloud hosting provider for your Drupal infrastructure. You're free to go for Amazon AWS or Digital Ocean, Google Cloud or maybe Vultr, you name it. Why cloud hosting? Because it's easier to scale, more cost-effective, and faster.  In short: it's top performance hosting that scales that you get with Cloudways. But there are also other strong reasons why you'd want to choose to host your Drupal website(s) on Cloudways. Cloudways Managed Drupal Hosting Key Features   Composer support  ease of use: just sift through all the different options that it provides you with through an intuitive UI, select the ones that you prefer via quick one-click access, and set up your Drupal website in no time  HTTP/2 support PHP migration support Free migration SSD-Based Drupal Cloud Hosting CloudwaysCDN you get to host multiple Drupal websites on one server you can add more team members and share server access across your entire team  built-in caching options auto-scalable kyup servers: they downscale and upscale, depending on the amount of traffic on your website(s), with zero downtime managed platform: you can spin up servers and deploy your apps in the blink of an eye   Final Word  The key takeaway is that choosing the best hosting services for your Drupal site(s) is crucial. Imagine that you'd buy yourself a Porsche, but you don't afford a... garage for it. Or its maintenance costs. See my point? When you run your website on a performance powerhouse like Drupal, you need to look for a hosting platform that can match such a robust setup. And speaking of keeping your Drupal infrastructure secure and well-maintained, we have an entire team of Drupal experts that you can delegate your time-consuming maintenance tasks to:   updating Drupal modules running security patches as they get released monitoring your website's performance monitoring it for suspicious activities ...   Just drop us a line and let's tailor a Drupal security and maintenance plan to suit your website(s) needs.   Image by kropekk_pl from Pixabay ... Read more
Adriana Cacoveanu / May 28'2020
Drupal 9 Features: From “No New Features” to... 9 New Shiny Things You Can Expect to See in Drupal 9
What new Drupal 9 features can you expect to see on June 3rd, 2020? For, it's a bit confusing, isn't it?   on one hand, you have the “no new features“ statement on the other hand, you get answers like: “the easiest upgrade in a decade”, “newer PHP libraries”, “a brand new admin theme”, and so on   So, are there any new shiny things in Drupal 9 that you can look forward to? Or maybe get worried about... There is one shiny new feature and 8... improvements, from what I've seen. And I've grouped all together in a list. Here it is: 1. The New Shiny Thing: Easy Upgrade from Drupal 8 to Drupal 9 A smooth upgrade experience, this is the only new shiny thing that Drupal 9 ships with. In short, moving to Drupal 9 will be as easy as updating from one minor Drupal 8 version to another. Source: Drupal.org Word of caution: the upgrade path to Drupal 9 is “buttery smooth” if and only if you stick to a “healthy” routine of weeding out old and deprecated code from your current codebase. 2. Drupal 7 and 8 Will Continue to Get Supported Alongside Drupal 9 One of the biggest Drupal 9 vs Drupal 8 (and even Drupal 9 vs Drupal 7) difference is the overlap of security coverage: Till Drupal 9, whenever a new stable version got released, the previous one lost its support. Starting with the 9th version of the CMS, Drupal 7, and Drupal 8 will continue to get community support till November 2021. In other words, Drupal 8, cleaned-up of all deprecated API will continue to work on Drupal 9.  And Drupal 7 will get community support for... 1-1.5 years after Drupal 9 gets released.  One of the unexpected Drupal 9 features. For it disrupts the way that the Drupal community used to approach major versions once they were no longer “the latest” ones. 3. Claro Becomes the Default Administration Theme … once it gets stable. 4. New Drupal 9 Features: CKEditor 5 Gets Implemented ... in a future version of Drupal 9. Security support will drop for CKEditor 4 sometime around Drupal 9's end of life. Therefore, Drupal 9's roadmap includes adding CKEditor 5 to a future version (and eventually removing CKEditor 4 completely in Drupal 10).   5. The Workspace Module Goes from Experimental to Stable Source: Drupal.org How is this good news for you? Let's say that you need to prepare multiple versions of your Drupal site and, depending on certain factors, to push live only one of them. The Workspace module allows you do to precisely that: to replicate content between workspaces on the same Drupal site. And, luckily, the module will be generally available starting with Drupal 9... 6. What's New in Drupal 9? Twig 2 That's right, Drupal 9 comes with support for newer PHP libraries. Support for Twig 2 here included. 7. Drupal 9 Will Be Backward-Compatible with Drupal 8 from Day One What are the new Drupal 9 features? Minor upgrade versions of Drupal 8 will be backward-compatible with Drupal 9. This means that all your Drupal 8 components will work with Drupal 9. This ninth version of Drupal is built on top of Drupal 8, basically.  In other words: no need to panic that your (Drupal 8) website's key features will no longer be valid in Drupal 9. This is going to be the first time that 2 major versions of Drupal are fully compatible.   8. From Symfony 3 to Symfony 4.4 “What's new in Drupal 9?” Symfony 4.4. Since its third version will no longer be supported in November 2021, Symfony 4.4 gets integrated with Drupal 9. All while making sure that Drupal 9 is forward-compatible with Symfony 5, as well...   9. Olivero Becomes Drupal's New Default Theme New Drupal version, new front-end theme. Olivero will come to replace Bartik, the current default theme in Drupal.   Wrap-Up: 5 Drupal 9 Requirements Your Drupal Site Should Meet Now you know which are the predictable, the new and the... shiny new features in Drupal 9. What next? How do you ensure that your Drupal website's Drupal 9-ready? Here are 5 key steps to take for a buttery-smooth upgrade:   Make sure your environment is Drupal 9-compatible: PHP 7.3, MySQL 5.7.8, Drush 10   Update to the latest minor versions of Drupal 8 as soon as they get released: you'll be able to upgrade your website to Drupal 9 only from Drupal 8.8. and Drupal 8.9    Keep your modules up to date: do all your contributed modules run on their latest versions?   Weed out any deprecated API from the custom projects that your website's using   Update core to Drupal 9   Word of caution: if your website (still) runs on Drupal 7, upgrade to Drupal 8.  To sum up, the shortest path to a smooth upgrade to Drupal 9 is sticking to the best practices:   remove all deprecated code (go for an automated tool like drupal-check or Rector to identify deprecations on your website) update your Drupal core and contributed projects to their latest versions   Or, you can leave all the preparations to us. Just drop us a line and we'll evaluate your website's level of... readiness:   Is there any deprecated code still “lingering in there? Does it run on Drupal 7? Are there any outdated versions of PHP or MySQL that it is still using?   Then, we can come up with a plan to get it Drupal 9-ready. Image by Marsel Elia from Pixabay   ... Read more
Adriana Cacoveanu / May 20'2020
Top 10 Drupal Websites in Asia: From The Jakarta Post to... the Mitsui Chemicals
What are the top 10 Drupal websites in Asia?  What famous Asian brands, newspapers, NGOs, key players in various industries, have their websites powered by Drupal? To answer your question, we've done some digging and put together a selection of the best Drupal-based websites in Asia, ranging from the most popular to the most niche ones:   1. Mitsui Chemicals Inc., Japan   Japan's leading chemicals manufacturer runs its multi-site infrastructure on Drupal. Why Drupal?   because of the powerful multi-site and multi-language features that it provides, out of the box because Drupal enables them to store content centrally and then share it, personalized for each country, across their ecosystem of sub-sites: Japan, Germany, China, Singapore   In short: Mitsui Chemicals Inc. needed a robust CMS. One that could withstand its heavy structure of domains and groups of sites and enable them to manage all their content on a single platform. 2. ABS-CBN News and Current Affairs, Philippines The news division of this reputed media corporation in the Philippines —  ABS-CBN — has its website powered by Drupal. And the reasons why they chose this CMS are... pretty obvious:   we're talking about a complex network of various types of content: video, multimedia, story... the website delivers critical news in real-time, so Drupal's feature of processing and publishing data in real-time is critical for them the newspaper has a whole community of online readers built around it, so it depends on Drupal's access control system   A content-heavy, high trafficked website, that updates its content in real-time… Drupal's built precisely for this type of scenarios. And that's why ABS-CBN News and Current Affairs is listed among the top 10 Drupal websites in Asia. 3. The Haribon Foundation, Philippines Now, we couldn't have left out non-profit organizations from our list of popular Drupal websites in Asia, now could we? The Haribon Foundation is a biodiversity conservation organization in the Philippines, that trusted Drupal for turning its website into a user engaging one. One that tells their story right to all the future volunteers, donors, members, and partners. Why Drupal?   because it ships with plenty of built-in functionality, enabling them to get their website up and running in no time because it provides them with a robust taxonomy system, which enables them to categorize and organize their content  because it's scalable: it's built to accommodate all future initiatives, no matter how bold, and all future loads of traffic because it's open-source  because it's easy to use by non-technical users (anyone can create, add, publish, and further edit content)   4. The Beijinger, China A community website with an audience made of English-speaking expats living in Beijing, China. Why did they go with Drupal?   because of the different types of content that they display on their website, ranging from forums to events, to reviews, podcast, blog, directory, photo gallery because a significant part of the content is user-generated, which means that they can get the most of Drupal's user role and permission-based access control system  because they needed a CMS that could grant them the best editorial experience: adding and editing so many types of content, on different sections of the website, had to go... smoothly   5. The Jakarta Post, Indonesia, One of the Top 10 Drupal Websites in Asia The largest English language newspaper in Indonesia, The Jakarta Post is on the list of the key media sites using Drupal. A heavy load of content, that needs to be updated in real-time... these are just 2 of the key factors that turned Drupal into the only CMS suitable for this high trafficked newspaper site.   6. Amman Stock Exchange, Jordan Another one of the top 10 Drupal websites in Asia, due to:   the crucial role that this economic platform plays in the region  the outstanding user experience that it provides, despite the complex technical challenges that it needs to deal with “in the backstage”   Why did they choose Drupal over any other CMS option?   Drupal enabled them to provide their users a mobile-first experience: a seamless user experience was crucial for the Amman Stock exchange website, with users being enabled to view charts, graphs, and tables on the go, from any devices Drupal provides the right tools to “empower the end-user”: users can set up and easily manage their own portfolios on the website, set filters for the content that they receive, personalize their notifications, etc. Drupal's robust enough to withstand high spikes of traffic Drupal integrates seamlessly with their ecosystem of third-party systems, that provide the Amman Stock Exchange users with market and financial information Drupal is multi-lingual right out of the box: Amman Stock Exchange could provide a personalized experience to business owners and investors from all over the world   7. Pacific Aikido, Japan The Aikido dojo, which been teaching its classes in and around Tokyo since 1991, has its website powered by Drupal. And it's no surprise to anyone why they chose it:   Drupal makes it plain easy for the end-users to manage their own content: students and parents can log in and engage in conversations with the site owner, while the latter can upload and update content quick and easy Drupal's conveniently extensible: it enabled the team working on this project to implement the Image API and thus enable the site owner to upload his/her own images nice and easy   Images that get resized automatically, by default, once published on the website... The website's both a public-facing site and an easy to use private back-end, where students and parents can communicate with the site owner. 8. Playtika, Israel We can't put together a list of the most popular Drupal websites in Asia and not include Playtika, the leading gaming company based in Tel Aviv, Israel. Since Drupal ships with a whole collection of responsive tools and responsive themes, it made it a lot smoother for their UI and UX design to look great on both their web and mobile websites. 9. Al Bawaba, Jordan This independent digital news, blogging, and media platform — the largest one in the Middle East — is on all the “Top 10 Drupal websites” selections. Why did they decide to build their digital presence with Drupal?   because they have a large, diverse, and expanding content team — different types of editors, researchers, journalists, publishers — so they decided to leverage Drupal's system of user roles and its flexible content workflow because they depended on Drupal's powerful SEO features because they were facing increasingly high volumes of content (multimedia content here included) and Drupal's built with content-packed websites in mind   An efficient digital media assets solution and a conveniently scalable CMS were critical for this content producer and distributor in the Middle East. So, Drupal was the only CMS framework that checked all the requirements off their list.   10. Taiwan Environmental Information Center     Another NGO — the “product” of a larger non-profit and non-governmental organization: Taiwan Environmental Information Association —that's earned its place among the best Drupal websites in Asia. Their website stands out as an extensive network of environment-related information: editorials, green events, feature articles, news... Now, the reasons why they trusted Drupal with their digital presence are clear to anyone:   it's open-source it empowers the content team to add, edit, and publish content (multiple types of content) on the fly it's extensible and conveniently scalable it's non-technical user-friendly   The END! This is how our list of “top 10 Drupal websites in Asia looks like”. What other websites would you have added?Image by Lizbet Palmer from Pixabay   ... Read more
Adriana Cacoveanu / Apr 21'2020