You can do all you want to secure your website and yet cannot be absolutely sure about it. Securing your website is not a one-time goal but an on-going process that needs a lot of your attention. You cannot just single out one best solution to protect your website and must do whatever it takes to win this battle against them web-stalkers. After all, it is always better to avoid a calamity than face it and be sorry. With a Drupal website, you can be assured about having some of the top security risks being taken care of.
Drupal has powered millions of websites, many of which handle extremely critical data like government websites, banking and financial institutions, e-Commerce stores, etc. It goes without saying that the Drupal community take security issues very seriously and keep releasing security updates as and when they come across a threat. Nonetheless, you will still need to enforce some measures to secure your Drupal website and give the hackers a tough time.Keep Calm and Stay Updated
Making sure your Drupal version and modules are up-to-date is really the least you can do to ensure safety of your website. Drupal contributors are staying on top of things and are always looking for any security threats that could spell disaster. An update doesn’t just come with new features but also security patches and bug fixes. Drupal’s security announcements are posted to users’ emails and site admins have to keep Drupal updated to safeguard the website.
Choose your modules wisely
Before you install a module, make sure you look at how active it is. Are the module developers active enough? Do they release updates often? Has it been downloaded before or are you the first scape- goat? You will find all the mentioned details at the bottom of the modules’ download page. Also ensure your modules are updated and uninstall the ones that you no longer use.
Security Modules to the rescue
Just like layered clothing works better than one thick pullover to keep warm during winter, your website is best protected in a layered approach. Drupal’s security modules can give your website an extra layer of security around it. Some of the top few security modules that you must install for your website –
- Login Security – This module enables the site administrator to restrict the number of invalid login attempts before blocking accounts. Access can be denied for IP addresses either temporarily or permanently.
- Two-factor Authentication – With this module, you can add an extra layer of authentication once your user logs in with a user-id and password. Like entering a code that’s been sent to their mobile phone.
- Username Enumeration Prevention – By default, Drupal lets you know if the username entered does not exist or exists (if other credentials are wrong). This can be great for a hacker if he’s trying to enter random usernames only to find out one that’s actually valid. This module can prevent such an attack by changing the standard error message.
- Content Access – As the name suggests, this module lets you give more detailed access control to your content. Each content type can be specified with a custom view, edit or delete permissions. You can manage permissions for content types by role and author.
- Coder – Loopholes in your code can also make way for an attacker. The Coder module (a command line tool with IDE support) goes through your Drupal code and lets you know where you haven’t followed best coding practices.
Check on your Permissions
Drupal allows you to have multiple roles and users like administrators, authenticated users, anonymous users, editors, etc. In order to fine-tune your website security, each of these roles should be permitted to perform only a certain type of work. For example, an anonymous user should be given least permissions like viewing content only. Once you install Drupal and/or add more modules, do not forget to manually assign and grant access permissions to each role.
I bet you already knew that any traffic that’s transmitted over just an HTTP can be snooped and recorded by almost anyone. Information like your login id, password and other session information can be grabbed and exploited by an attacker. If you have an e-Commerce website, this gets even more critical as it deals with payment and personal details. Installing an SSL certificate on your server will secure the connection in between the user and the server by encrypting data that’s transferred. An HTTPS website can also increase your SEO ranking – which makes it totally worth the investment.
Watch your inputs
If your website allows users to input text or upload files, you need to be extra cautious as that’s the easiest way a hacker can get into your system. Drupal lets you to allow only a certain type of file extensions to be uploaded, like only PDFs or Docs. When you have to allow HTML tags as input, you will have to make sure the text is properly filtered. Drupal’s extension modules like WYSIWYG Filter and Better Formats help in some basic filtering of HTML tags. There are so tags that need to be blocked which can be done in code level. A module like HtmlLawed also helps in blocking some tags and suggesting other usable tags.
As the old saying goes - Expect the best but plan for the worst. When it comes to website security, one can never call themselves absolutely secure. By default, Drupal is a very secure content management framework but you will still need to implement better security strategies – for a good night’s sleep.