How to Make Sure Your Drupal Site is Secure

10 min

Drupal 8 is an advanced CMS containing many built-in mechanisms that are able to provide an appropriate level of security for any type of platform - from a personal blog to a social media network.

So, how to make sure your site is secure? In this article, we are not going into general recommendations which are suitable for any engines (for example, removing unused outdated modules, which are potentially vulnerable to hackers, or updating the used ones regularly). Instead, we will review Drupal security best practices, which describe the specifics of working with security in Drupal 8.

Elimination of Vulnerabilities in the Frontend Code

The very first thing that website developers (who are concerned with providing security) should focus on is vulnerabilities in the frontend code (since to secure a backend, in most cases, it is enough to choose a responsible hosting provider). Drupal 8 allows solving this problem at the root. Let us find out what tools make this happen.

Twig - Template Manipulation Tool

Drupal 8 was supplied with a new tool,Twig, which not only simplifies operations with templates, but also cleans up the HTML code by default. Therefore, you do not need to employ any additional security modules to protect your code against cross-site scripting (XSS) attacks.

Sanitize the Text Inputs

When requesting textual input from the user, it is very important to ensure that there was no malicious code injected into it. To clean such strings, auto-escaping functions of Twig module are employed; or ‘#plain_text’/’#markup’ keys are implemented to the respective fields when constructing the rendering array to engage the auto-escaping mechanism of the renderer. In earlier Drupal versions, the sanitizing function ‘Drupal.check_plain()’ was used, which is now considered to have been superseded and will be removed in the 9th version. Just compare the code that can be susceptible to hacking:

$InputText = $(‘#form-input’).text();

print $InputText;


with a safer code based on Twig template:

$InputText = $(‘#form-input’).text();

{{ InputText }} /* auto-filtering */

{{ InputText|e }} /* use this syntax to ensure that the text is filtered */


or render arrays:

$InputText = $(‘#form-input’).text();

$render = [‘#plain_text’ => $InputText]; /* to filter the plain text */

$render = [‘#markup’ => $InputText]; /* to filter the HTML markup */


Function ‘t()’ with ‘@’ and ‘%’ placeholders can be used to construct safe translatable strings. Function Html::escape() allows one to clean up the plain text. It should be noted though, that if the output of this function is to be used in rendering arrays, it should be marked by the ‘#plain_text’ key. Functions Xss::filter() and Xss::filterAdmin() are useful to sanitize strings that need to allow some HTML tags.

Analyze the Information Submitted by Forms

Working with Drupal, you will need to learn how to handle data in '$form_state object' which stores all the form input safely. For example, when sending GET and POST requests from the frontend to the server, some data can be perceived by the specific Drupal functionality as being in an incorrect format (the strings can be perceived as arrays and vice versa). This happens because the browser itself does not have any capabilities to discern the type of the element passed from the form. This vulnerability can lead to attacks in the form of SQL injections. To solve this problem, Drupal provides the function validateForm(), which allows the developer to analyze the data independently, handle the incorrect input errors, and request the user to provide the fixed values.

Secure the Database Queries

Tacital policies of the Drupal site security offer the use of PDO PHP-extensions to install the secure connections with the database. Thus, the probability of attacks using SQL-based vulnerabilities is minimized. In fact, the PDO encourages developers to use those methods of API, in which parameters are specified instead of specific values to handle the database.

Below you can see a particular example of standard entry:

$query_result = db_query(“SELECT u.uid FROM {users} u WHERE = ‘$name’”);


To make it safe from exploitation by hackers, turn it into a parametrized query like this:

$query_result = db_query(“SELECT u.uid FROM {users} u WHERE > %s”, $name);


In this case, a ‘$name’ parameter would be properly let go before being added to the request.

Protect Your PHP Files

When creating any site on the base of a ready-made engine, the description of the process for generating PHP files can create many security problems. In order to exclude the possibility of unauthorized changes, the developer can resort to a standard solution for this problem, as described in the documentation for Drupal 8. The security can be guaranteed by creating an intermediate environment for file generation. In turn, the functionality, describing the methods for storing these files, allows setting read-only access to them. At the same time, each instance that these PHP files are extracted by the kernel, it is checked whether the date of their change coincides with the same attribute in the directory.

Assigning Access Rights to the Site Contents

The core of Drupal was created in such a way as to provide the best experience of working with the site for ordinary users and truly extensive opportunities for its administration - for a site owner. On the other hand, if you organize access to the administration panel for more than one user, it would be best to take care of assigning the appropriate access policies in the .htaccess file.

Among the most frequently employed policies is the ban on the creation of new accounts, the delineation of rights for anonymous and registered users, and shutting down the testing module (misuse of which can reduce the site's performance).

In addition, you can automate the process of sending alerts about suspicious activity within your site by setting your email or social network account in the respective field of the MyNewsletters tab.

Use Only Secure Passwords

Our Drupal security checklist is concluded by the recommendation to enforce the strict rules for the creation of high-security passwords. Passwords are generally a separate topic when it comes to safety. In order to gain access to the web resource, it is not necessary to look for vulnerabilities in its code. This can be done more simply by means of human engineering.

There are many hacking programs with dictionaries, which, without the direct participation of the hacker, bruteforce the passwords. As a result, after a couple of days, even the most sophisticated passwords can be cracked. To minimize the likelihood of unauthorized intervention, note the following “must have” list of recommendations:

- Avoid using simple passwords. You can check the top 500 worst passwords of all time to see if your password falls into this category. Such credentials will make your site easy prey for intruders.

- Do not use your personal data. Never use your personal data (names, dates of birth, pet names, etc.) to create passwords. Any logically ordered information can be easily found by hacking tools or discovered by hackers. Many developers recommend using password generation services, which create completely random passwords according to preset criteria from collections of letters, numbers and special characters. They are harder to remember (remembering such a complex password can be problematic; to store them, you can connect a special module) but they provide much better protection.

- Limit the number of failed login attempts. The Drupal kernel automatically limits the activity of a user who has entered the password incorrectly five times in a row. However, if you think that such a level of protection for your site is not enough and you want to improve the default mechanism, simply connect the login safety insurance module to the site and/or add a CAPTCHA panel.

How to Ensure Your Site Security: Summary

As you can see, the 8th version of Drupal has reached the level where the vast majority of vulnerabilities are eliminated automatically, without the direct participation of the developer. However, when it comes to sites where you need to maintain an enhanced level of security (e-commerce and government sites, for example),  additional measures are necessary.

In this case, instead of relying solely on your own powers, it is better to entrust the development to experienced professionals. We are happy to assume this responsibility and create for you a solution that will be extremely resistant to all sorts of malignant attacks.

Want to work with us?

Looking for a Drupal team?

Build your product with the industry leader

Talk to us!
Looking for Drupal solutions?