How to Increase Drupal Site Security – Protect from Hackers

Have Served for millions of websites all over the world, Drupal has become one of most popular publishing tools and content management systems on the web. Due to this tremendous popularity, however, the Drupal powered websites have been a major hacking target for attackers.

In this case, we have summarized some useful tips for how to overcome the common Drupal security issues and increase Drupal site security. We list out them in the following, providing you an easy way to understand.

Select a Safe Hosting

Drupal, a free and open source, can work well on web servers supporting PHP and MySQL database. At present, many web hosts include this tool into their hosting packages to attract customers. But not all of them can guarantee a safe and secure environment. Therefore, you’d better choose a reliable hosting company that can reduce vulnerabilities and hacking frequencies with the use of some advanced technologies like SSH, SSL, and firewalls.

To find this kind of company, you can go for some review websites to get the recommendations, or ask for advice from the large and supportive Drupal community.

Select Safe Hosting

Keep Everything Updated

The first thing to improve Drupal security is to keep everything updated. Three areas are included with the security updates: Drupal Core, Drupal modules, and theme security.

This is because the standard new releases are only developed and published when the vulnerabilities and loopholes have been detected. Once the new version is out, the hacking patch for the old version is public. This means hackers and attackers can access your site easily if your tool and applications are not the latest releases. Since Nov. 19th, 2015, Drupal 8 has been available for you to use. There is an email notification for the release of new version.

In the case you really forget this important practice, you’d better remove the CHANGELOG.txt file that comes with the installation. Thus, others can hardly know which version of Drupal core and Drupal modules you are using.

At the same time, pay a high attention to the theme you want to use or have used on your Drupal website. It is really important for you to check whether the theme developers continue to update it. Choose one from the most recently maintained themes in the Drupal’s Download & Extend.

Secure Login Operation

Secure LoginThe security of login operation is another critical part that webmasters need to pay attention. As a website administrator, you’d better limit the number of invalid login attempts, and ensure the IP addresses trying to crack your password rudely are banned temporarily or permanently.

You can do this by making use of a powerful Drupal module called Login Security. This tool can not only restrict access attempts, but also can notify people via e-mail to help them know when something abnormal is happening with login, such as account information guessing and password brute forcing.

Make Use of CAPTCHA

CAPTCHA refers to Completely Automated Public Turing test to tell Computers and Humans Apart, composing of some random letters and numbers that are coming out automatically for people to enter. It is used to figure out whether the users are human or not. Thus, webmasters can utilize it to block bad submissions from spambots which will post spam content on your website.


Block the Access to Important Files

You can restrict the access to some sensitive files like authorize.php file, upgrade.php file, cron.php file and install.php file via .htaccess. In this case, no one except you can enter the core files of your site to do the harming work. The lines of coding are as following.

Block File Access

Use Strong Passwords

We have emphasized this aspect many times. One more again, the utilization of strong passwords is pretty important. Many people use the birthday, phone number, or some simple words as their passwords, but the fact is that hackers can decode these logical combinations easily. Therefore, you’d better use some illogical ones with letters, numbers, and symbols attached randomly. In addition, you can make use of some useful tools to generate passwords well, such as Password Policy.

Password Policy will decide whether to accept a user password change, have been defined with constraints. Also, it has a password expiration feature which require users to change their old passwords. Therefore, user passwords can be better protected from hackers with the help of Password Policy.

Utilize Security Modules

Utilize Security ModulesIn fact, there are a lot of Drupal security modules that can be used to enhance the security of your Drupal sites. The most related module categories are Security, User Access, and Spam Prevention. You only need to go to to download and install your needed ones to the website, then you can sleep well all the night without worrying your site might be hacked unexpectedly.

Always Create Backups

If you have adopted all of the methods presented above, then the possibilities of being hacked can reduce largely. However, it doesn’t mean that the probability is zero. After all, as Drupal developers are updating the core uninterruptedly to avoid vulnerabilities, hackers also are coming out new ways to find a loophole.

In this case, you’d better keep a habit of backing up your Drupal website regularly, let’s say at least twice a week. Thus, if your site has been destroyed, you can back to normal easily with the backing up files. Note that if you have done some critical changes to your site, then create a backup at once.