Drupal has a great reputation as a CMS with excellent security standards and a 30+ member security team to back it up. But for some Drupal-running sites, we must take other actions rather than just keeping Drupal and its modules up-to-date with each and every security release and security needs to be regularly re-evaluated..
No doubt, the Internet can be a dangerous place, lots of hackers, bots, viruses and people potentially looking to make a quick profit off bad configured websites. In such an environment, it becomes more and more important to make your Drupal website as secure as possible.
Let’s take a look at some of the best security modules that you can have on your Drupal site to make it more secure and foolproof.
The login page to your site is like the gate to your house. It only makes sense, then, that the first thing to strengthen would be the login process. An excellent module for this purpose is the Login Security Module.
Login Security module improves the security options in the login operation of a Drupal site. By default, Drupal introduces only basic access control denying IP access to the full content of the site.
With Login Security module, a site administrator may protect and restrict access by adding access control features to the login forms (default login form in /user and the block called "login form block"). Enabling this module, a site administrator may
- limit the number of invalid login attempts before blocking accounts,
- or deny access by IP address, temporarily or permanently.
A set of notifications by email or Nagios may help the site administrator to know when something is happening with the login form of their site:
- password and account guessing,
- bruteforce login attempts or just unexpected behaviour with the login operation.
For alternative controls, Login Security can disable Drupal core's login error messages, obfuscating the reason for the login failure. This could make it harder for an attacker to discover whether the account even exists.
A CAPTCHA is a challenge-response test most often placed within web forms to determine whether the user is human. The purpose of CAPTCHA is to block form submissions by spambots, which are automated scripts that post spam content everywhere they can. The CAPTCHA module provides this feature to virtually any user facing web form on a Drupal site.
A module that’s going to become your best friend on your journey to make you site foolproof, Security Kit is an all-in-one module for your site that allows your to configure, tweak and set up various options in order to minimize the chances of any attacks on your site.
SecKit provides Drupal with various security-hardening options. This lets your mitigate the risks of exploitation of different web application vulnerabilities.
- Content Security Policy implementation via Сontent-Security-Policy (official name), X-Content-Security-Policy (Firefox and IE) and X-WebKit-CSP (Chrome and Safari) HTTP response headers (configuration page and reporting CSP violations to watchdog)
- Control over Internet Explorer / Apple Safari / Google Chrome internal XSS filter via X-XSS-Protection HTTP response header
- Fix of Drupal 6 core module Upload issue http://drupal.org/node/803430 (Drupal 7 version lacks this option as long as Upload was replaced with FileField module)
- Prevent content upsniffing and serving files with incorrect MIME-type via X-Content-Type-Options: nosniff HTTP response header
Cross-site Request Forgery
- Handling of Origin HTTP request header
- Implementation of X-Frame-Options HTTP response header
- Implementation of HTTP Strict Transport Security (HSTS) response header, preventing man-in-the-middle and eavesdropping attacks
- Implementation of From-Origin HTTP response header
Setting up a password policy for your site is a good idea, as it not only keeps bots away, but also helps to ensure that users keep a strong password and not just the ‘password123’ type. A strong password helps prevent breaches on your site, making it a lot more secure in the process.
A password policy can be defined with a set of constraints which must be met before a user password change will be accepted. Each constraint has a parameter allowing for the minimum number of valid conditions which must be met before the constraint is satisfied.
Example: an uppercase constraint (with a parameter of 2) and a digit constraint (with a parameter of 4) means that a user password must have at least 2 uppercase letters and at least 4 digits for it to be accepted.
Session Limit allows administrators to limit the number of simultaneous sessions per user.
Max session is configurable, no database tables needed.
By default, a session is created for each browser that a user uses to log in. This module will force the user to log out any extra sessions after they exceed the administrator-defined maximum.
Assuming the session limit is 1, if a user is logged in to a Drupal site from their work computer and they log in from their home computer, they would be forced to either log off the work computer session, or abort their new login from home.