How to Improve Drupal Website Security [+ Free Checklist]

8 min

We all know Drupal as a trustworthy content management system used by numerous websites. According to BuiltWith, among the top 10K popular websites, 9.51% are built with Drupal. The renowned CMS has become a leading solution on the market in big part due to the highly-secure software that lies at its core.

And yet, still, if you take a second to realize what treacherous marketing realities you are operating with your commercial website, you must realize the one ultimate top priority you should focus on - establishing the all-around means of protection and securing your web resource to the max.

Because otherwise, the next time you try to access your resource, its URL may as well simply be hacked and stolen, which is the worst-case scenario for any striving project.

The best thing here is that we always can efficiently learn from others’ mistakes. So, if you want to keep your website maximally protected, read the comprehensive guide on Drupal security in our material.

Is Drupal a Secure CMS?

Many people believe that Drupal is the most secure content management system. Indeed, it has a strong reputation as a reliable platform, enough that the official resources of numerous governmental organizations run on it, including the NASA website. But what are the reasons Drupal is considered to be so trustworthy?

Read also: Why Government Websites Use Drupal

There are several factors that impact Drupal security:

Impressive community

Currently, there are over 1 million websites created with Drupal. With such a big community of people working on this platform, the code and functionality are being constantly reviewed. Any person who notices some sort of vulnerability can report it to be fixed in the future.

Drupal security team

To provide support for developers and resolve security issues, Drupal has a team of reliable people with a proven track record in the community. They provide users with instructions on safe coding, process issue reports, and create security releases to eliminate problems in the shortest time possible.

Password encryption

Drupal uses a complex procedure to protect users’ accounts from password attacks. Once a password is created, it is salted (enlarged with additional characters) and hashed (one-way transformed with a mathematical function). Hash halt is unique for each particular website, making it extremely hard to access an initial user’s password in the database.

However, even with all these factors, Drupal is not invulnerable. Therefore we have gathered our best insights on how to improve Drupal website security.

10 Steps to Increase Drupal Site Security

Even if you use the most solid CMS, unreliable software and careless development can dramatically harm your website’s security. At the same time, there are several Drupal security best practices to follow when you want to protect your website.

1. Update Core and Modules to the Latest Version

It may sound obvious, but regular updates are both the simplest and the most effective way to secure Drupal. Their team is consistently working on this project, releasing new features and eliminating vulnerabilities. You could manually track new updates and apply them to your website: the process won't take too much time. Alternatively, there are automated updating solutions like DropGuard.

2. Keep an Eye on Security Advisories

The Drupal security team always monitors the situation and sends out notifications in case of revealed risks. They always inform users of possible security vulnerabilities and instruct them on how to solve these problems. It’s important to stay in tune with these security notices to know which parts of website protection should be enhanced, but keep in mind that security flaws may come from many different sources. You are still using one of the most secure CMSs in the game and it’s best to diversify your approach to a sufficient level of security.

3. Revise the Modules You Use

The first thing to do here is to browse all the modules you have applied to find the outdated and unused ones. Once you have found one, you should either update it to a new (and secure) version or delete it without a doubt. Remember that an outdated piece of code doesn’t just waste your website’s resources, it is also more accessible to attackers.

What is more, you should be particularly careful with modules from third-party providers, because, without proper community control, they can be potentially vulnerable. Try to use reliable modules downloaded from the official Drupal website.

4. Pay Attention to Server Security

Protecting the server-side environment is one of the most important measures for Drupal website security. Here, you should pay attention to a whole spectrum of security aspects. First of all, ensure that you are using only secure connections (HTTPS) by installing an SSL certificate. This will not only prevent hackers from accessing the transferred data but will also help your website rank higher in search engines.

Use secure encryption such as SSH or SFTP to keep your data protected. At the same time, avoid FTP; being one of the oldest protocols, it may seem convenient but it enables users to store encoded passwords on their computers. Later, these passwords can be stolen by local computer viruses.

Ultimately, choose only reliable web hosts that use up-to-date software and frameworks and can maintain a high-security level. Speaking of ‘up-to-dateness’, updating all your software, including PHP versions, versions of modules and the server’s operating system should be among your top priorities as well.

All in all, security measures require a complex approach - even the well-tried-and-tested hardware purchased in the box can be flawed, as indicated by Intel's last year's sad example. Try to be as thorough as possible and provide protection for every single ‘breachable’ aspect of your both software and hardware project ‘life support’.

5. Secure Your Passwords

Yes, Drupal encrypts all collected passwords, making them hard to access from the database, but the user side’s security is your responsibility. Short and easy passwords may be easily hacked by attackers who then can get into your system. To prevent user-side attacks, follow a strong password policy, defining requirements for passwords. The common practice is to use special characters, upper and lower case and set up minimal length so the resulting passwords will have high entropy.

6. Control File Execution

If you allow users to upload documents to your website, hackers may use it to upload malicious scripts and viruses into your system. This problem can be easily solved by specifying the input files’ format. Browse “File Uploads” and “Content Types” pages to define the permitted file extensions, and exclude HTML and script files from these lists.

7. Browse Permissions

Review the user roles you have and grant them only the minimum necessary permissions. This way, you'll prevent possible abuse of your data. For example, the super admin role should be granted to a limited number of people because it allows access to critical files of your website.

Great practice for creating a new user role is to deny all permissions by default and then allow only the necessary ones. But if you are improving the existing website, browse permission details to know which users can read or modify certain files and restrict access if necessary.

8. Regularly Create Backups

When talking about Drupal security best practices, we cannot forget backups. On the one hand, you may be concerned that somebody can access your data from a backup. However, the risks of losing all your data as a result of a direct attack are much higher.

Create clean and recent backups regularly. They can help you to revive your website even if the worst scenario happens. What is more, backups are important if you are simply planning to release a new site version, so you will have an option to roll it back.

Note that before moving to a new version you need to check whether your backup can be restored. Also, consider mirroring your website or even creating a triple-redundant security system – the extra measures can be vital in case of an overloaded site.

9. Pay Attention to Antiviruses

An infected admin computer can pose another risk to your website. Therefore, remember to use reliable antivirus software and update it regularly to protect your system from attacks. For server-side security, equip your website with a firewall to protect the connection from unreliable requests. Furthermore, you can use it to prevent connections with Apache users.

10. Make a Security Audit before Publishing Website

And last but not least, you should double-check if your website is totally protected before actually launching. Creating a security checklist and following it during the development stage may help, however, it is harder to catch your own mistakes. Therefore, it is important to ask another developer to try and hack your site so you will get a fresh sight of its vulnerabilities.

Read also: The Guide to Drupal Security

Best Security Modules

Among the thousands of available modules, there are some that can be extremely helpful for improving your website’s security.

The best Drupal modules for security improvement:

  • SecKit – grants you various security-hardening options such as cross-site scripting;

  • CAPTCHA – protects your system from bots;

  • HoneyPot – another anti-spam module that supplements the previous one;

  • Paranoia – identifies potentially vulnerable places and filters PHP visibility;

  • Password Policy – defines the complexity of the user's password;

  • Security Review – automatically tests your website for security mistakes.


To keep your website protected from any type of attacks, follow Drupal security best practices listed above. Make regular updates and backups, enhance the protection with strong passwords, and use up-to-date antiviruses and firewalls. Protecting your website requires a complex approach; therefore, you should also control the user- and server-side security. Remember that only regular auditing of all processes can minimize the risks of a hacking attack.

Download our free website launch checklist

Want to work with us?

Looking for a Drupal team?

Build your product with the industry leader

Talk to us!
Looking for Drupal solutions?