Over a million developers have joined DZone.

Drupal Security: Top Tips to Secure Your Drupal Application

DZone's Guide to

Drupal Security: Top Tips to Secure Your Drupal Application

If you used Drupal to create and manage your site, read on to get some great tips to keep your site safe from cyberattacks.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Drupal is a very popular Content Management System (CMS) on the Internet today. Drupal security should be at the forefront of anyone running a Drupal site, especially if you're running older versions of the CMS or it’s modules since these are a ripe target for attackers.

In this post, we’ve taken some time to detail a few measures which can be taken to address Drupal security, outlining the basic security holes or malpractices that are commonly present in thousands of Drupal sites.

Running the Latest Version of Drupal

Running the latest version of any software is probably the most obvious first security measure to take. However, with millions of sites still running old and vulnerable versions of the CMS, this point is still one that needs to be stressed.

Updates of Drupal not only bring with them new features but more importantly, bugfixes and security fixes are made available. Updates help your site remain safe against common, easy-to-exploit vulnerabilities.

Running the Latest Versions of Modules

Running the latest version of Drupal alone is not enough to secure your site. Modules you install on your Drupal site that contain vulnerabilities will undoubtedly increase your site’s attack surface.

Therefore, making sure that your Drupal modules are up-to-date is essential. In doing so, you can make sure your site is covered with the latest security updates by the extension’s author.

Drupal Updates Screen

Be Selective When Choosing Modules

Drupal allows you to extend and customize your site with thousands of modules. Extending your site’s capabilities and customizing it to your requirements is important, however, it should never come at the price of your website’s security.

Even if your Drupal installation and modules are all up to date, it does not mean that a site is not vulnerable to attack. Attackers can try to enumerate installed modules to discover what modules you have installed on your Drupal site. By avoiding the installation of unnecessary modules, you would automatically be reducing your site’s attack surface.

When choosing modules to install, be selective. Before installing an extension you should read about it (ideally read reviews from other users on websites other than the extension developer’s site). This prevents you from installing malware or modules that do not fit your purpose.

Check how many downloads the extension has and when it was last updated by its authors. The more downloads and recent updates the extension has, the more likely it is that a vulnerability that is found will be fixed quicker.

Drupal 'Extend' screen

Remove Inactive Users

Keeping inactive users on your Drupal site increases your attack surface. Users, especially Administrators and others who have the ability to modify content, are possibly one of the weakest points of any site because, and, unfortunately, most users tend to choose weak passwords.

If you absolutely need to keep inactive users in your Drupal database, change their role to ‘Authenticated user’ in order to limit any actions that could be performed.

Take Advantage of Drupal’s Status Report Functionality

A great security feature to take advantage of in Drupal is its built-in Status Report page. Apart from allowing you to keep tabs on other areas of your Drupal site, the Status Report page, provides you with visibility into some important security controls that you should be placing on your Drupal site — for example, the screenshot below indicates that we need to set-up a list of Trusted Host Settings to prevent the possibility of a host header attack from occurring.

Drupal Status Report

Configuring Trusted Host Settings

Drupal has a feature that tries to automatically figure out the base URL of the site (unless it's already explicitly configured). This can result in a host header attack taking place, specifically because the ‘host’ HTTP header can be forged by an attacker and therefore cannot be trusted.

Fortunately, Drupal has a built-in method of working around this issue by explicitly defining which hostnames are to be accepted as valid host headers. This can be achieved by adding the following to your Drupal site’s  settings.php.

If a site is run off of a single, canonical domain, then you can include the following in sites/default/settings.php to allow the site to only run from www.example.com.

$settings['trusted_host_patterns'] = array(

If you need to run your site off of multiple domains and are not redirecting to a singular domain, then you can include the following in settings.php to allow the site to run off of example.com and example.net, with all subdomains included.

$settings['trusted_host_patterns'] = array(

If we revisit Drupal’s Status Report, we can see the alert in the previous screenshot has been resolved.

Drupal Status Report with Trusted Hosts security alert resolved

Security Configurations

Heads up — Depending on your webserver’s configuration for active modules, the following could break some functionality. It is strongly advised to try out any configuration in a testing/staging environment before changing any configuration on production servers.

Keep an Eye on the Logs

Drupal has a built-in log viewer (Manage > Reports> Recent log messages) which you should certainly take advantage of. Logging plays a crucial role in understanding when an attack is underway and what happened after an attack occurred. By keeping an eye on logs, you can mitigate the effects of a security breach by paying attention to early warning signs such as failed login attempts.

Drupal Logs

Enable HTTPS

Strictly speaking, HTTPS is not a protocol in and of itself, but it is rather HTTP encapsulated in TLS/SSL. TLS, or SSL, as it is commonly referred to, provides websites and web applications with encryption of data being transmitted and authentication to verify the identity of a host.

HTTPS is usually synonymous with shopping carts and Internet banking, but in reality, it should be used whenever a user is passing sensitive information to the web server and vice-versa.

Most sites do not necessarily need to serve their entire site over TLS, however, since Drupal does not have an administrator-specific area, it’s strongly advised that TLS/SSL is not only implemented but enforced.

In order to enforce TLS/SSL on your Drupal site in an Apache HTTP Server, you will need to add the following configuration in your Drupal site’s .htaccess file (this is usually located in your website’s root directory).

Note: You must already have TLS/SSL configured and working on the server before you site will work properly wth these settings applied.

# Force HTTPS across the Drupal site
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

security ,drupal ,web security

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}