A set of comprehensive and useful recommendations to keep your Drupal 8 site protected from the dangers looming the digital horizon. . .

An overview of Drupal security record

Drupal being a leading Content -Management system (CMS) find among its users Governments , big shot companies and NGO’S among thousands of other users dealing in extremely sensible data and information.

Like other CMS, Drupal also has been subject to security vulnerabilities …

To help you guys ensure your own Drupal site security, I have below built and compiled a list of some security practices which I strongly recommend and advise.

Security recommendations

Security recommendations as a general term stands good but it is undeniably too broad and not enough subject-oriented.

In an attempt to simplify the whole issue, I will divide the recommendations into different sets relating to specific and well defined issues;

Permissions recommendations

Permissions play an important role in determining the overall security of your Drupal site.

It is therefore paramount that proper file and directory permissions are set so as to prevent Hackers from entering the system and modifying the codes with the ultimate aim of causing harm to you and your site.

Generally, there are three permissions need to be granted each for the owner (creator of the site), the group (web server) and the users (everyone else).

While it is not compulsory, it is recommended as a security measure to give;

1. Owner -All the permissions namely ( read(r), write(w) and execute(x) files and directories)- 7(numerical value)
2. Group-All the permissions might be given namely ( read(r), write(w) and execute(x) files and directories)- 7(numerical value)
3. Users-It is strongly recommended that Users are given no permissions at all that is neither read, write nor execute. Consequently the numerical value becomes (0)

Note; r=4, w=2, x=1

More info about permissions and 770 configuration can be obtained on the following link;

Drupal File Permissions: Drupal 7 & 8 Permissions - Video Included

To check your permissions on the Linux operating system (the one I am currently using), run the following command;

ls -al

Here is a screenshot of my default permissions on Drupal 8

My default permissions

To amend the permissions if necessary, run on terminal the following commands;

sudo chmod <permission number> <directory name>

For instance sudo chmod 770 <directory name> will give all the permissions to the owner and the group but no permission at all to the users. It is usually considered a good security practice.

Note; A too restrictive “permissions policy “is not advisable since it might affect your Drupal installation and modules as Drupal core requires enough permissions to be able to write to certain directories.

Accessibility recommendations

Your Drupal website directory contains some sensitive files which you might consider to restrict access to.

The most sensitive files include;

1. authorize.php
2. upgrade.php
3. install.php

Here is a screenshot from my system;

To prevent access to such important files, you might consider to define the permissions in the .htaccess file hence preventing unauthorised users from accessing the contents of such files.

Such a piece of code might be added to prevent access to all users apart from the owner

<FilesMatch “(authorize|cron|install|upgrade)\.php”>
  Order deny, allow
  deny from all
  Allow from 127.0.0.1
  </FilesMatch>

Updates recommendations

As for any other software, it is very important to be in line with the latest Drupal updates and Drupal modules updates.

This is because many of the updates come with patches for a number of previous Drupal security vulnerabilities. For example, Drupal 8 has come with a bunch of security improvements over Drupal 7 as discussed above.

It is therefore essential to ensure that your site is currently running with the latest updates as this will give a true boost to your overall Drupal security system.

To check for any updates for your site along with modules currently in use , go to reports/available updates as shown below ;

Click on that and click on “check manually” to check for any updates available for your site and modules etc…

Updates available for my site

As you can see, I have to update the slick carousel module as well as Blazy module (encircled in orange).

To do so, simply click on the “Download these updates” (encircled in green) and you are good to go … with the latest updates and an improved security system…

Note; having the update manager module installed might help a lot. It usually comes pre-built in the standard installation of Drupal 8. You should enable it though. . .

Modules recommendations

Drupal has a number of optional security modules designed to help you improve your site’s security.

These security modules might help you to monitor for vulnerabilities, block for popular security threats through firewall protection and so on …

Here are some useful modules which might help give a real boost to your Drupal security system …

• Login security module

This module limits the rate of login attempts to your site.

For instance, an excessive number of login attempts from a particular IP address might lead to the module blocking this particular IP address temporarily or even permanently!!!

This is useful to counteract brute-force attacks for example

To install this module, click here and then follow the normal installation process for modules …

• CAPTCHA Module

This module as suggested by its very own name is a computer program intended to distinguish human from machine input.

In other words, it differentiates between automated login attempts by spambots and authentic and real login attempts by true human beings

This module might be downloaded from here

• Drupal Security Review Module

The Security Review module automates testing for many of the easy-to-make mistakes that render your site insecure.

In other words, it conducts a security audit of your site and suggests necessary changes if any

This nice module might be downloaded from here

• File Integrity Check Module

It can be used to check a Drupal site for file integrity breeches.

This module lets the site maintainer “fingerprint” an entire site (except the files below the public:// upload directory) when it is in an untainted state. It can then be configured to periodically compare the site to this “fingerprint”, and report the following:

• modified files and directories;
• potential back-doors (files added to the site);
• files removed from the site;
• Files writeable by the web-server.

It can be downloaded from here

Connections recommendations

It is strongly recommended that you always make use of secured connections to protect your data from being intercepted by hackers on the World Wide Web.

• Using SFTP encryption if offered by your web host is a recommended Drupal security practice …
• Also, getting an SSL certificate from a trusted organization to secure data transfer on your Drupal site is advisable.

Technically, this SSL certificate enables HTTPS which helps in securely processing data and information from your site.

For instance, it is very important for you to have an SSL certificate in the login page of your site.

Otherwise credentials entered will openly be transferred in clear text over the internet and run high risks of being intercepted by malicious hackers.

• Lastly, if possible use HTTP Security Headers such as 1. Content-Security Policy 2. X-XSS-Protection 3. Strict-Transport-Security 4. X-Frame-Options 5. Public-Key-Pins 6. X-Content-Type.

Upon implementation HTTP Security Headers provide an additional layer of security and protect you against the types of attacks that your site is most likely to come across. For example, XSS, code injection, clickjacking, etc.

Bot traffic

We are here talking about bad bots …. Bad bots to perform a variety of malicious tasks , such as price scraping, DDoS attacks, account takeover, and many more malicious ways that defraud a brand or website.

They should therefore be blocked. Such can be done by installing proper modules or amending your .htaccess file with appropriate codes so as to block the bad bots.

General security recommendations;

Apart from the above which are more specific in nature, there are some basic security recommendations which every Drupal user should know and implement if possible.

These include;

1. Use of Strong Credentials -The use of “easy to guess” usernames and passwords tremendously affect your Drupal security system. For instance using a simple password like “pass123” is not recommended .The general practice is to use a password with at least 8 characters comprising of letters (uppercase and lowercase), numbers and special characters .

……To change your password, head to Myaccount/Edit and make the required changes as shown below;

Changing password

2 . Perform regular back-ups of your site; Backups are basically a copy of your site codes, modules etc. . It is strongly advised to perform regular backups as these can save you in the worst case scenarios.

To perform a backup of your Drupal site, you can download and install a module named Backup and Migrate. This will help you restore your Drupal MySQL database, code, and files or migrate a site between environments

This module can be downloaded here

Alternatively, if you are running a sandbox project on Pantheon.io, you can easily do a “one-click “backup of your codes and database.

To do so, head to the Backup option and select “Create new backup “…easy right

Here is a screenshot from my Pantheon account;

Creating a back-up

3. Ensure your Drupal database security; you might want to use a unique table prefix which makes it harder to predict by an intruder.

This will also help in the prevention of SQL injection.

These are my main Drupal security recommendations aimed at improving the overall security of your Drupal 8 website. With all that said, let’s have a quick look at other Questions you might have regarding Drupal security in general.

Drupal security … Frequently asked Questions

There are some question that very often comes to our mind while talking about Drupal security. I will try very quickly to answer those popular questions here itself!!!

How to submit a security issue if you find any?

In case you find out a vulnerability in Drupal core or contributed project (module, theme, or distribution) that is covered by the Security Advisory policy ,you should report it .

Reporting might done in the 2 following ways;

First way ( 1)

• Head to the Drupal Project page
• Look for “report a security vulnerability” button in the right side bar as shown below

Showing the right-sidebar

• If you click on that , you will be redirected to the Security Team private issue tracker and your security vulnerability will automatically be reported

Second way (2)

• Send an e-mail to security@drupal.org.The security team will do its best to find a fix to the security vulnerability by working in collaboration with project maintainer and other parties if required.

Note; It is important that you keep the issue confidential until a fix has been found for it.

Note; Try to provide a detailed report specifying clearly the version of Drupal affected, how to reproduce the issue from a newly installed site and propose a patch if possible.

What are the measure steps to be taken while creating a release for a security issue?

1. All patches should already be committed before the noon on Wednesdays (GMT-5, America/New York). Ensure that the git commit message is not too direct in nature that is does not directly imply that a security vulnerability has been fixed. For instance , avoid using words like “security” or “vulnerability”
2. Create a release node making sure you check the box saying: “Are you sure you want to mark this release as a Security update?”
3. The release node you created will remain unpublished
4. You should not forget to update the security advisory you created on security.drupal.org to link it to the release node you just created
5. Post a comment on the issue at security.drupal.org stating clearly that you have created the release

How does Drupal inform site -owners about a reported security problem in Drupal?

Drupal inform site-owners about a reported security problem in Drupal through a Security Advisory.

A security Advisory is in short an announcement made by the Drupal security team and which inform users about a reported security vulnerability and the respective steps that should be taken to fix that security vulnerability ( e.g. . updating to a new release of the code which fixes the security problem)

Hmm yeah … So I guess that the above contents englobe mostly everything concerning Drupal security and related contents

To Sum Up

This task has required a whole lot of research hence enhancing my research abilities. I am really thankful for that.

I really hope that you guys will make the most out of the above recommendations and implement a maximum of it to give a real boost to your Drupal site security system.

Thank you for your read … and have fun Drupalling …Bye-Bye!!!