The Guide to Drupal Security


Website security is one of the top things Internet users are interested in. Service providers and regular visitors are extremely attentive to how well their content, data, and ownership rights are protected.

This time, we are going to talk about Drupal website security. Drupal claims to be a highly secure web tool. It meets the online software standards and occupies the leading position among the top three global Content Management Systems, followed by WordPress and Joomla. However, online businesses always include some risks, and Drupal solutions are no exception. In our article, we shall provide you with the most crucial information in our Drupal security review and assist you in making your Drupal website more secure.

CMS Drupal Security

Continuous arguments regarding the security of certain software solutions have to be backed up by evidence. In fact, each community and every contributor considers the solution they are working on the safest and the most trustworthy software tool. Let’s take a look at the facts that can ensure that Drupal is safe:

  • Official Standards

Open Web Application Project Standards are a set of rules for improving software security. These standards take into account the greatest risks for online entrepreneurs and thus help to improve online business security.

  • Team of Experts

The fact that Drupal is one of the strongest CMS's makes contributors take its security very seriously. This is why Drupal has a whole department of security experts. Those people carefully analyze the potential risks, report the vulnerabilities, and suggest how to secure Drupal sites.

The security team helps to solve various issues and works on creating and improving the documentation devoted to website security. Drupal components and modules are thoroughly tested before their release. Besides that, when a software specialist suggests a new solution to the Drupal team, the core maintainers check it and test it once more to ensure they release only impeccable extensions.

  • Attentive Community

The Drupal community is amazing! It includes over 1,000,000 software developers, creative designers, trainers, sponsors and enthusiasts from all over the world. All of them keep a finger on the pulse of Drupal’s code, detect issues, and report them to the security team. In this way, any trouble is solved within the shortest terms.

  • Users’ Passwords

All passwords stored in the Drupal database are encrypted. This CMS allows encrypting the whole database or its components, user accounts, content, etc. In case of a cyber attack, the information will not end up lost or stolen.

  • Access Controls

You can choose the access control that fits your business the most. Drupal provides various options: access for users, content managers, unauthorized visitors, etc. The website admin can manage the access easily, according to the number and tasks of the engaged parties.

9 Steps to Improve Your Drupal Website Security

Website security has no limits. Even if you are sure about the created solution, you can always make it better. The same applies to Drupal solutions. Yes, your data is protected, but why not strengthen this protection and make your visitors feel safe and sound? A continuously growing solution with a great number of contributors can still be hacked anytime. And, as the attack and its power are unpredictable, you better prepare for it properly.

Our Drupal security checklist will provide you with step-by-step information on how to improve your website.

1. Update Your Website Version as Often as Possible

Usually, hackers attack older versions of software solutions. For example, millions of Drupal users were significantly affected by hackers back in 2014. In order to avoid such major attacks, Drupal contributors recommend keeping the version of Drupal and each of its extensions up to date. This is one of the Drupal 8 security best practices for keeping your website safe.

How to check whether a new version has been released:

  • go to the Reports section,
  • pick the Available Updates option,
  • or check manually and find more updates.

2. Always Backup Your Website

Regular backups will help you plan your actions in case of a damaging attack. With the latest backup, you can easily do a rollback and restore your data without losses.

Take note: it is better to backup your website before updates. In addition, some Drupal hosts offer you great development environments with the opportunity to backup your website in one single click.

3. Forget About QWERTY Passwords

Yes, as well as “admin” usernames and other passwords consisting of 4 numbers only. What we want to say is that you should take your username and password very seriously. Choose smart usernames and strong passwords – this is one of the best and easiest ways to improve your website security.

The World Wide Web is full of bots constantly browsing the network and trying to attack websites and steal user data. Over 75% of websites get attacked because of weak passwords. By implementing this simple practice, you can protect your website and your visitors’ personal data.

4. Use Modules to Protect Your Website Better

The number one tip here is to download and install only trustworthy Drupal extensions. Choose modules and themes developed by the Drupal core team or other trustworthy companies.

We have prepared a brief list of the must-have Drupal 8 security modules you should know about and install.

  • Login Security

This module limits the number of login attempts. Another feature is denying access to certain IP addresses.

  • Password Policy

Password Policy extends the security password policy and assists you in improving it. With its help, you can strengthen passwords within seconds.

  • Captcha

The well-known captcha feature would be useful on your Drupal website too. This tool can detect spam bots and block their submissions.

  • Automated Logout

With this extension, the website admin is allowed to log the user out after a certain period of time.

  • Content Access

This tool is irreplaceable for successful content management. It allows managing access to different types of content for the authors and users.

  • Coder

Coder is a module for technical specialists. It checks the written code, compares it to existing standards and suggests useful tips.

  • Hacked!

The Hacked! module keeps a digital eye on the Drupal code and detects whether any changes have been made or not.

5. Detect and Block the Bots

You cannot get rid of the bots completely, but you can minimize their impact on your website. There are 2 possible ways to detect and block the bots attacking your website:

  • use the above-mentioned module or a similar one,
  • modify the code at the server level.

It is quite clear how to run a Drupal module, but server-side modifications may take time and effort. Anyway, we would like to clarify this option for you as well:

  • User Agent Strings

To block them all at once, add a few lines of code to the .htaccess file:

RewriteEngine On

RewriteCond %{HTTP_USER_AGENT} ^.*(agent1|Wget|Catall Spider).*$ [NC]

RewriteRule .* - [F,L]

  • BrowserMatchNoCase Directive

Use it to protect your website as much as possible:

BrowserMatchNoCase "agent1" bots

BrowserMatchNoCase "Wget" bots

BrowserMatchNoCase "Catall Spider" bots

Order Allow,Deny

Allow from ALL

Deny from env=bots

6. Use Secured Connections Only

Always make sure that the connection is really secured. Use SFTP or SSH encryption. FTP clients are even able to store the encoded password on their computers.

Check your home router and firewall rules. Besides that, if you often use public networks, do not consider them as trusted ones. Your web host's security makes a difference as well. They should use the up-to-date versions of programming languages and frameworks, take care of the account isolation and firewalls, etc. Take note: if your web hosting prices are suspiciously low, it may mean the level of security is low.

7. Manage the Permissions

Define precisely who is allowed to read, write and modify data and content on your website. Always use the correct file permissions and use Drupal documentation devoted to the security of permissions and ownership.

Pay particular attention to the important and sensitive files. Restrict access to the following ones:

  • authorize.php,
  • upgrade.php,
  • cron.php,
  • install.php.

8. Get the SSL Certificate

Each eCommerce website needs to own a special SSL certificate. The reason is simple: eCommerce websites process users’ personal data and, therefore, they need to demonstrate an extra level of reliability. So, let the HTTPS connection be the one and only thing you use for running your website.

9. Harden the Headers

By strengthening your HTTP security headers, you can reach a better level of protection. The headers control how your browser works and suggest how to behave with your content.

The implementation of such HTTP headers as Content-Security Policy, X-XSS-Protection, Public-Key-Pins, etc. will positively impact your website security.


Drupal CMS is one of the most popular tools in the web development world. The great, responsible community, dedicated team of contributors and professional security team make Drupal users feel confident and safe while using their solution. Along with that, there is a number of ways to improve Drupal security. Following our guidelines and trying the best tips we have described, you can keep your website safe. Awesome Drupal 8 security modules can help you to handle this task. Take care of your Drupal business and your customers’ safety!

Want to work with us?