With 2.2 per cent of all websites on the Internet using Drupal, it is the third most popular CMS in the world. But for all its boons and benefits, cybercriminals choose to target Drupal’s open-source nature in order to steal sensitive or valuable information.
What’s more, the fact that vulnerabilities are constantly being discovered and exploited doesn’t help matters either, as this has the potential to occupy an untold amount of time. So, with this in mind, well known Pen Testers Security Audit Systems has come up with 9 tips on how to tighten up your Drupal security.
- Keep Drupal and modules updated
As with any other piece of software or web application, it is imperative you keep Drupal and all of its modules up-to-date. Back in 2014, hackers targeted older versions of Drupal in an attack that affected millions of websites.
- Use complex usernames and passwords
Although somewhat obvious and incredibly straightforward, this is one of the best ways to improve Drupal security. Never use ‘admin’ as your username and choose a password that utilises a mix of alphabetical and numeric characters as well as upper and lowercase letters.
- Make the most of Drupal security modules
In the event of a brute-force attack, Drupal security modules can lock down your site and help protect important data. On top of that, they can also block malicious networks, enforce strong passwords, scan for vulnerabilities, monitor DNS changes, implement firewalls, and much more.
- Block bad bots, scrapers, and crawlers
If you are struggling to block bad bots using a Drupal security module, you may need to introduce commands and codes at a server level. Some useful advice on how to do so can be found on this Drupal support page.
- Always use secure connections
Regardless of where you are accessing Drupal from, you should always use a secure connection, such as SSH or SFTP encryption. You should also double check that firewall rules are setup properly on your router.
- Check file permissions
Seeing as each directory and file will have different permissions, which allow people to read, write, and modify them, it is imperative they are all correct, otherwise an intruder could gain access easily.
- Toughen up the security of your database
By using a different table prefix on your Drupal database, hackers will find it much harder to guess and thus help prevent SQL injections. It is also relatively easy to change your table prefix on the setup screen when installing Drupal.
- Always use SSL certificates
SSL certificates are commonplace for eCommerce sites, as they protect the sensitive data of online customers. However, the same security principle should apply for your Drupal login page too, as the absence of an HTTPS connection means your username and password will be sent in clear text over the Internet.
- Harden your HTTP security headers
With just a small configuration change on your web server, you will be able to harden HTTP security headers, which can help mitigate the threat of an attack.
It is always better to have addressed your websites security than to just leave it all to chance until the online criminals come knocking at your websites door!