Drupal Security Tips

Development Drupal

Drupal is the leading enterprise web content management framework.  With this popularity, of course, comes the increased risk to security. While Drupal in itself, out-of-the-box is widely considered to be very secure, there are additional methods that one must definitely undertake in order to ensure their Drupal site stays attack-proof as much as possible.


Minimum Administrative Privileges

In Drupal, users with administrative privileges have access to each and every section of the site. This, of course, means that administrative privileges in the wrong hands could prove to be the end of your Drupal site. When a new Drupal site is created, a user #1 is also created. This is the highest level of privileges a Drupal site has. It is always recommended to create an admin account and additionally secure this user #1 account before taking the site live. Also, make sure the number of admin accounts on your site is kept on minimum.


Install trusted and supported modules

Modules are what makes up Drupal’s true power and make it so flexible, as such there are boatloads of modules available for Drupal. However, not all modules are created equal; plus they can also be used to hack into your site since in basic terms the modules basically add or alter your site’s code. So, to keep your site safe from malicious attacks make sure you install trusted and popular modules only whenever possible. If you do need the functionality of a module that is not yet very well known then make sure to perform proper research on it before proceeding with installing it on your site.


Keep Drupal core and Modules updated

This point cannot be stressed enough! Yes, it is sometimes a hassle to patch or update your site but it isn’t as much of a hassle it would be trying to recover your site if it gets exposed. Keeping your Drupal site as well the modules installed on it should always be kept up-to-date since these updates often include security patches as well. There’s a reason the Drupal security team releases these updates every so often.

One of the cases for keeping your Drupal site updated could be made owing to the Drupalgeddon as well the more recent Drupalgeddon 1 & 2. This is the name given to a critical security vulnerability that was found to be affecting a huge number of sites running on Drupal. The Drupal security team immediately released security patches for fixing this vulnerability upon its discovery and strongly advised everyone running a Drupal site to patch their sites immediately. You can be rest assured that the sites which aren’t yet patched are probably already exploited by the vulnerability.

While going into the depth of how Drupalgeddon works is an entirely another topic on its own for another day, the main takeaway from this is that keeping your Drupal site and its modules updated is vital to your site’s security efforts.


Choose a Good Hosting Provider

One point that is often overlooked when it comes to considering the security of a site is the hosting provider you choose for hosting your site. While speed and reliability are undoubtedly important factors when choosing a hosting provider, you should also see what kind of security measures they provide. Choosing a hosting provider that has rock-solid security measures in place already lays a strong foundation for your site’s security going ahead.


Security Modules

Modules make a Drupal site. So is there any surprise that there are modules available for Drupal focusing mainly on making it more secure? There are many modules available which provide different methods of making your site more secure, some of them are:


Other Measures

Apart from the tips highlighted above, there are other practices that must be regularly performed to ensure your Drupal site remains impenetrable:

  • Regularly check Drupal’s built-in status reports to get an overview of your site’s back-end status
  • Always check logs to figure out if any suspicious activity could have been performed on your site without you knowing
  • Always make sure to use strong passwords and change them periodically
  • Use two-factor authentication
  • Remove inactive users
  • Remove modules that aren’t of any use to you
  • Make sure you only use trusted themes
  • Limit access to important Drupal core files via the .htaccess configuration file
  • Enable SSL on your site. (Use HTTPS for your site!)
  • Make regular backups of your site



Always keep these tips in mind and stay a step ahead of potential attackers.
If keeping your Drupal site secure as well as maintaining eats up your precious time, then hand these tasks over to us at AGILEDROP. We’ve been in the industry a long time and are trusted by a large number of customers with their sites. Get in touch and let’s discuss your needs!