Let’s hope that all the Drupal website is updated and patched, and in that case, all the critical security flaw, Drupalgeddon2, is not likely to return. Even so, with the craze of cryptocurrency mining attack still lurking around the unpatched websites, here is a quick way to secure Drupal?
Here is a list of 7 basic steps that any Drupal site owner can do to lock down his/her website.
1. Keep Your Drupal Core and Modules Updated
Ignoring the regularly released security updates for both Drupal core and its modules can be catastrophic. The simplest ways to secure Drupal is to keep your Drupal version updated: apply security patches as soon as they get released, avoiding to leave your site exposed and exploitable. As simple as that!
And where do you add that this is one of those Drupal security best practices that’s the easiest to integrate into your routine? Since to run the latest updates you only need to:
- Sign in to your Admin panel
- Go to “Manage”
- Scroll down to “Reports” → “Available Reports”
- Click on “Check manually”
Just click “Update” if there are any critical security updates that you’re advised to run
2. Install Drupal Security Modules
Putting a shield around your Drupal site is both a handy and effective measure that you can easily implement. You are not out of options when it comes to good security modules in Drupal.
3. Remove Unused Modules
One of the Easiest Ways to Secure Drupal is to remove unused modules. That has grown outdated and that is just… lingering there, identify them and remove them! It won’t take more than just a few minutes of your time.
4. Enforce a Strong Password Policy
You have to use smart username and password for logging into your admin dashboard. So employing a strong password policy. One the best and the easiest ways to secure Drupal on the user’s side. Try with passwords with high enough entropy (letters, uppercase/lowercase, symbols, different character combos.
5. Block Access to All Your Sensitive Files
You can easily do that by configuring your .htaccess file — it’s the one containing crucial importance regarding your website access and credentials to specific parts and core files on your site:
Just specify the IP addresses allowed to access those core folders, files, and subdomains.
Order deny, allow deny from all
Allow from 127.0.0.1
Note! Don’t limit your restrictions to your core folders and files, but also to your web server, to your server login details, as well.
How? By adding a basic layer of authentication limiting server access and file access usage. Also, cautiously manage access to a certain port numbers that your site/app might be using.
6. Back Up
In case of any brute-force attacks, this will come handy.
So just back up your files and MySQL database before any update that you run on your Drupal code and modules.
Some of the back up “burdens” that this module will, take off your shoulders are:
- Backing up/restoring code and multiple MySQL databases
- Integrating Drush
- Backing up files directory
- Setting up several backup schedules
- AES encryption for backups
7. Review All User Roles and Grant the Minimum Permissions Necessary
How many user roles are there assigned to your Drupal site? If you are not sure, then give your entire user role system an audit.
Review all the user roles and, most of all, review each one set of permissions and make sure you trim them down to the minimum necessary for each role.
This way, you’ll also limit access to critical files for those users that shouldn’t have the permission to download or visualize them.
See which user roles are granted permission to access key directories or to read, write or modify certain files on your website and block/restrict access where necessary.
The END! Ensure with more Drupal security best practices, such as:
- Having the SSL Certificate
- Securing HTTP headers
- Using secure connections only
Securing a Drupal website is an on-going process; a series of persistent efforts and not a one-time thing. Remain vigilant and don’t rely on just a one-time, multifaceted security hardening practice.