5 Security Modules That Every Drupal Website Must Have


With intruders, thieves, hackers, and spammers ready to perpetuate threat to most businesses online, virtual security is definitely the top concern in today's web that a firm should focus. While there are several hundred CMSs out there to provide a digital platform, Drupal is considered one of the top secure platforms that can seamlessly address the firm's security needs.

Why is Drupal always a win for you?

Do you know what makes Drupal a ‘credible content management system’? Backed with some phenomenal modules and themes, this great CMS is heartily manned by a dedicated community of developers. Unlike other content management systems, Drupal offers the most consistent security updates, keeping the chances of risks as minimal as possible. However, if you are already using Drupal, then it is necessary to keep your website extra secure with the gifted grace of ‘security modules’ available for Drupal. Here we have listed the 5 best security modules that every Drupal website must include - have a look!


1. Password Policy


5 Security Modules That Every Drupal Website Must Have


Usage: For now, Password Policy is used by more than 20k websites. The module has also been downloaded more than 260k times.

According to Verizon’s Data Breach Investigation Report statistics for the year 2013, 4 out of every 5 data breaches occur due to exploited or stolen credentials.

Thus, defining the password policies of your website and enforcing restrictions on user passwords is important. Make it possible with the help of ‘Password Policy’ module that brings a defined set of constraints implemented right before a website accepts the password changes of a user. With each constraint, the module has some pre-defined parameters that have to be ‘satisfied’ to validate the conditions. Password Policy has recently updated a brand new version for Drupal 8, introducing the constraints as plugins. Apart from this, the module comes with a password expiration feature where a user is either forced to change the password or it is optionally blocked once the old password expires.

Functionality: The module sets a credible policy for passwords, manning control through constraints while the password is generated. With Password Policy module, you can also control the structure of password in terms of length, capitalization, unique character, numbers, reuse of password, and so on.


2. Security Kit


5 Security Modules That Every Drupal Website Must Have


Usage: Currently, about 11k sites are using Security Kit as a reliable easy-to-use module. The module has reported more than 143k downloads.

Do you know at Annual Website Security Statistics report 2012, Whitehat has identified cross-site scripting and cross-site request forgery as two most prevalent vulnerabilities?

The module promises security under four major categories- cross-site scripting, cross-site request forgery, clickjacking, and SSL/TLS. Cross-site scripting safeguards content policies, handling browser reporting and violation management. Through cross-site request forgery, you can control the Origin HTTP request header. Similarly, Clickjacking works on the implementation of X-Frame-Options HTTP response header and Javascript (coupled with CSS and NoScript protection and customized text to disable the JavaScript message). Last but not the least- SSL/TLS handles the implementation of HTTP Strict Transport Security (HSTS) response header. With this, you can simply prevent the role of middleman and possibly control the potential attacks by eavesdropping.

Functionality: Security Kit brings the best security-hardening options that you can use on your website! Security Kit module enables safekeeping by lowering the risks of exploitation of different web application vulnerabilities.


3. Security Review


5 Security Modules That Every Drupal Website Must Have


Usage: About 34k websites are using this module, which has been downloaded over 270k times.

Your site might have some silly easy-to-make mistakes that could be a bit embarrassing at times. Don’t worry and avoid the humiliation of making silly mistakes in your Drupal website with the help of Security Review module. How does it work? Well, Security Review module automates the testing process of a website in the simplest manner. It is a quick and easy to implement module. With Security Review Module, you can check the safe file system permission of your website that limits the execution of any arbitrary code. The module protects a site against dangerous XSS tags available in the text formats. It enables safety in reporting errors, avoids unnecessary information disclosure, promises security of private cum personal files, enables easy and safe uploading of extensions, and checks the large database for errorless usage. Moreover, you can have one Drupal admin as permission to protect your website against any form of malice or misconfiguration.

Functionality: Security Review will not add automated changes to your website, unless and until the checklist and its resources are not manually secured. The module is readily available for the latest Drupal 8 interface.


4. Username Enumeration Prevention

Usage: The module has been used by more than 7k sites and has been downloaded by almost 29k Drupal users.

Though Drupal is quite a secure interface yet the chance of exploitation is evident in the CMS, especially for Drupal 6. As Drupal 6 doesn’t come with brute force prevention functionality, it makes the website vulnerable to easy hacking through just a username. It means a hacker can quite easily attack a site through a username, followed by brute force hack. The best security practice is to keep the usernames protected. And this is exactly what Username Enumeration Prevention does - with this module, you can make your usernames hard to find for the hacker. The technique ‘username enumeration’ can enable an attacker to find usernames by using the ‘forgot password’ form. By simply adding the username that doesn’t exist in real, the attacker will get Drupal’s response. An attacker can thereby follow a simple process i.e. to keep trying different usernames on the ‘forgot password’ form until he find a valid username. With the enabling of this module, the attacker will be redirected back to the login form, while the error message will also replace the preview message. It works through replacing the message that appears to the user when requesting a new password to something more ambiguous instead of indicating that the user exists or not, which allows the attacker to figure the username through the status message that appears.

Functionality: Username Enumeration Prevention is an important way to secure the usernames of your website. The module simply disables the status message that could let the attacker know that a username exists through the "Request new password" function.


5. Generate Password


5 Security Modules That Every Drupal Website Must Have


Usage: Almost 6k websites are currently using the Generate Password module. The module has almost 32k downloads.

Generate Password module works with a simple trick. It makes the password field optional or rather hidden on the new user registration page so that when the password is not set during the registration process, the system generated a generic password. As an admin, you can optionally choose to display this password by the time it is created in the registration process. How does it work? For the configuration settings, just visit the account settings of the user page and change the behavior of the password generation.

Functionality: Customize the structure of password generation as in the length of the password, generated password entropy, nature of characters (capitalization, special character, and numbers), password algorithm, and password display as per your requirements.


Use these 5 Drupal security modules for your website to keep all those unwanted hackers and attackers away. So while you might wish to keep your website secure with all these modules, we would also recommend you to ensure the perfect dose of necessities with Varbase, an enhanced Drupal distribution built, packaged and maintained by Vardot, that users some of the most important and widely used Drupal modules, features, and configurations. What is the best part about Varbase? Well, the little ‘bundle of Drupal joys’ has these 5 modules bundled and configured in the "Security" feature. Varbase is highly recommended for certain reasons - it speeds up the Drupal developmental process, provides the most sorted/standardized configurations, offers one-stop solutions for diverse Drupal development needs and ensures ease in implementation. The Drupal distribution is also quite frequently updated by the developers. Varbase became the most installed Drupal 8 distribution and has registered more than 10k downloads.

As said, the security of your business is highly important, so don’t forget to monitor your website regularly. We hope this article will resolve some of your security concerns related to the Drupal development. Do you have any others? Share them with us in comments and don't forget to check two more articles with the top modules to include to your website - 10 best Drupal modules for SEO and 7 best Drupal modules for E-commerce.


Free Website Audit from Vardot