Drupal security
Protect your Drupal site against hackers, malware and attacks. Practical tips and module recommendations for maximum security.
Drupal is more secure than you think
Drupal is known for its strong security. It has a dedicated security team that actively monitors and patches vulnerabilities. But you need to have the basics in order.
- Used by governments and enterprise organizations worldwide
- Security advisories with detailed information about patches
- Built-in protection against SQL injection, XSS and CSRF attacks
10 essential Drupal security tips
Implement these tips to immediately make your Drupal site more secure
Keep Drupal core up-to-date
Security updates are critical. Install them within 24 hours of release. Drupal sends email notifications for important updates.
composer update drupal/core-recommended --with-dependencies
Also update your contrib modules
Outdated modules are a common vulnerability. Check weekly for updates via Reports > Available updates.
Use strong passwords
Minimum 16 characters, with uppercase, numbers and special characters. Enable password policy module for automatic checks.
Limit admin rights
Give users only the permissions they need. Create custom roles for editors, not everyone admin.
Only install trusted modules
Download modules only from drupal.org. Check the module stats: many downloads and recently maintained = reliable.
Remove unused modules
Disabled modules can still be a risk. Uninstall and remove modules you don't use.
Enable two-factor authentication
Use TFA module for extra security on admin accounts. Even with a leaked password, your site is safe.
Make regular backups
Daily automated backups with off-site storage. Test monthly if you can restore a backup.
Secure your files directory
Make sure PHP cannot be executed in sites/default/files. Add .htaccess with "php_flag engine off".
Monitor security advisories
Subscribe to the Drupal Security Newsletter. Follow @drupalsecurity on Twitter for real-time updates.
Recommended security modules
These Drupal modules help protect your site
Security Kit
Hardens your Drupal installation against various security threats. Essential module for every site.
- XSS and CSRF protection
- Clickjacking protection
- SSL/HTTPS enforcement
- Content Security Policy
Automated Logout
Automatically log users out after a period of inactivity. Prevents unauthorized access.
- Configurable timeout
- Per role settings
- Timeout warning
- Redirect to custom page
Password Policy
Force strong passwords with configurable requirements. Prevents weak passwords.
- Minimum length requirement
- Character type requirements
- Password expiration
- History of old passwords
TFA (Two-Factor Auth)
Add an extra authentication layer. Use Google Authenticator, SMS or hardware tokens.
- TOTP (Google Authenticator)
- Recovery codes
- Per role requirements
- Trusted devices
Security Review
Scan your Drupal site for security issues. Provides a checklist of recommendations.
- File permissions check
- Module updates status
- Error reporting settings
- Detailed reporting
Login Security
Extra security for login forms. Effectively prevents brute force attacks.
- Limit login attempts
- IP blocking
- Email notifications
- Soft/hard blocking modes
Good hosting = better security
Your hosting provider plays a big role in the security of your Drupal site. Choose a provider with these features:
Free SSL
Automatic installation and renewal of Let's Encrypt certificates
Daily backups
Automatic backups with easy recovery via control panel
Malware scanning
Automatic scans and removal of malware at server level
DDoS protection
Firewall and DDoS mitigation to keep your site online
Security checklist for Drupal
Print this checklist and work through it for a secure Drupal site