5 Ways to Secure your Drupal Website

5 Ways to Secure your Drupal Website 4 min read

It seems like every time you turn around another major company has been hacked. Millions of dollars lost, the attackers have been in there for months and, more often than not, there were basic security precautions that were overlooked.

 

While there is no bulletproof strategy to keep attackers out, there are a few things that you can do to make it harder for them to compromise your systems.

 

1.) When handling sensitive information, ENCRYPT IT!

One of the best ways to keep data secure, is to encrypt both the transfer of data from your website to the user and encrypt the data at rest (when it’s stored in the database). This begins with a properly installed SSL certificate coupled with the Secure Pages module in Drupal. This isn’t done by default, and if mishandled could provide a false sense of security so make sure you use tools like this one to verify it’s set up properly.

 

Depending on the information you need to secure, you can also use these modules to encrypt your data:

 

 

2.) Ensure your administrative section is locked down

If you limit administrative access to one to two people, you’ll have less of a chance of an attacker compromising your site. Take a look at how many people have this level of access and ask yourself — “Do they really need full access?” Drupal has an amazing permissions management system that will allow you to manage access rights.

 

You can further this level of security by limiting the number of login attempts to your administrative section. The module Login Security can help to avoid Brute Force hacking attempts.

 

3.) Keep your modules and backups up-to-date

If you own a website, you should have some sort of backup and update plan in place. Even if you only do it monthly, it is extremely important.

 

Modules like Backup Migrate can help you to manage the backing up portion. Most hosting providers have some sort of solution enabled to automate these for you, so it’s worth researching.

 

As for the updates (available at /admin/reports/updates) — these should be checked regularly. Security updates often come without warning and can patch some fairly nasty holes in the module’s security. We recommend checking for these on a weekly basis and setting up a off-hour maintenance schedule to push the new releases up to your website.

 

4.) Remove any unused modules

If you’re not using a module and it’s just sitting there — remove it! Old modules present a security risk and increase maintenance time. Removing these extraneous modules will also speed up your Drupal installation.

 

Remember: “Less is more.” 

 

5.) Make sure custom modules are sanitizing data

There are a few great functions that you can use to filter and sanitize user-supplied data. This is a great  tactic to keep intruders out.

 

At the very least, you should use the filter_xss function to limit your risk.

 

For more information on how to secure your Drupal installation, check out the Securing your site thread on Drupal.org.

 

 

Related Posts