Protecting your Drupal site should be your number one priority. No site should be entering the digital scene without protection. Think of these modules as your Drupal site’s entourage.

Drupal is a free, open-source web content management platform for content, community and commerce. Drupal powers millions of websites worldwide including some of the busiest — The White House, MTV, NBC, Harvard University, Stanford University, UC Berkeley, and Best Buy. It allows developers to build responsive, scalable, and highly customized websites. It also has a wide community of developers who contribute on modules and themes ensuring an endless supply of customization and creativity for developers.

Due to growing concerns and recent infamous hacks, it has never been more important to protect your site from hackers and external threats. Like other CMS, Drupal offers timely security updates, but the key difference is that there is the possibility of zero-day vulnerabilities and vulnerabilities in modules and themes. The first step in securing your website as well the server is to make sure that you are using the most updated version of the module. Normally if there is any big vulnerability it can be attributed to a contributed module or theme.

Armed with the best security modules, you can ensure a safe and secure site for both you and your clients.


1. Password Policy

The Password Policy module will secure your Drupal site by enforcing more secure passwords. No matter how secure your site may be, one weak password for the wrong user can be like a back door swinging wide open. With a little quick and easy configuration, the Password Policy module can keep that door bolted shut.

Manual Settings

• Whether passwords expire and how often
• The complexity of each password
• And in an emergency, you can force a password change for whole hordes of users — even the whole site
• Send warning emails for users to update password before it expires

You can use any combination of these that you wish. You might choose only expiration, or only complexity, or both. A good suggestion is to force administrators to choose a long, complex password.


2. Two-Factor Authentication

This added double layer of security is essential and is the standard for most websites and applications now. This module adds an extra layer of security in the login of your Drupal website by asking users to enter a mobile number where users will receive a one-time password. If the user successfully enters the OTP in the second login screen, access is granted. The key here is that it protects a user account even if a password is stolen.


• To set this up, download and set up a mobile device or desktop client application that can generate TFA codes (known as TOTP codes). Popular client applications are Google Authenticator, Authy, FreeOTP. During TFA setup you will be presented with a link to these various applications or you can view more on a discussion on TOTP clients.


3. Automated Logouts

This module is like the bouncer at a nightclub — it kicks people out that have been spending too much time and inside and are starting trouble. This module provides a site administrator the ability to log users out after a specified time of inactivity. It is highly customizable and includes “site policies” by role to enforce logout.


• Different timeouts based on role
• Disabling of timeouts based on role
• Permission for users to set their own timeout
• Includes some JS mechanisms to keep uses logged in even if multiple tabs are open or if the user is working on a form for a long period of time.
• Includes developer hooks to allow users to remain logged in depending on your own project specific requirements
• Optional integration with Javascript Timer


4. Security Review

This module is every developer’s perfect sidekick: it performs automated testing for security issues. In itself, it does not actually make your site secure, but instead takes a prevention route by runing a series of security checks and provides you detailed information for what you can do to fix them. Just install, enable, and hit the button “Run Checklist” to see the results.


• Test for system permissions to prevent arbitrary code execution
• Protection against XSS by disallowing tags in input
• Safe error reporting
• Secure private files
• Allow installation of only safe extensions
• Check for DB errors and failed login attempts
• Protect against brute forcing of password
• Protection against phishing
• Check user access control


5. Username Enumeration Prevention

Computers can be too nice, sometimes. There is a loophole that should not be overlooked when it comes to passwords.

Attackers can easily find usernames that exist by using the forgot password form and a technique called “username enumeration.” The attacker can enter a username that does not exist and will get a response. All the attacker needs to do is be persistent and keep testing usernames until they find a valid user.

This module will stop this from happening. When the module is enabled, the error message will be replaced for the same message as a valid user and they will be redirected back to the login form. If the user does not exist, no password reset email will be sent, but the attacker will not know this is the case.


6. Security Kit

SecKit provides Drupal with various security-hardening options. This lets your mitigate the risks of exploitation of different web application vulnerabilities.


• Cross-site Scripting

Content Security Policy implementation via Сontent-Security-Policy (official name), X-Content-Security-Policy (Firefox and IE) and X-WebKit-CSP (Chrome and Safari), HTTP response headers (configuration page and reporting CSP violations to watchdog)

Control over Internet Explorer / Apple Safari / Google Chrome internal XSS filter via X-XSS-Protection HTTP response header

Prevent content upsniffing and serving files with incorrect MIME-type via X-Content-Type-Options: nosniff HTTP response header

Content Security Policy implementation via Сontent-Security-Policy (official name), X-Content-Security-Policy (Firefox and IE) and X-WebKit-CSP (Chrome and Safari) HTTP response headers (configuration page and reporting CSP violations to watchdog)

Control over Internet Explorer / Apple Safari / Google Chrome internal XSS filter via X-XSS-Protection HTTP response header

• Cross-site Request Forgery

Handling of Origin HTTP request header

• Clickjacking

Implementation of X-Frame-Options HTTP response header JavaScript + CSS + Noscript protection with customizable text for disabled JavaScript message


Implementation of HTTP Strict Transport Security (HSTS) response header, preventing man-in-the-middle and eavesdropping attacks

• Various

Implementation of From-Origin HTTP response header



Stay safe, kids!