Create your blog and photo album with postbit
Create your blog and photo album

Create new post


Upload a picture:
Tags (keywords separated by comma)

Save Cancel
Websites 'N' More websitesnmore:   Followers: 0 ; Following: 0

Securing Your Drupal Setup (Website) using Modules

Drupal is the third most used open-source Content Management System (CMS in the world after WordPress and Joomla. It is also considered to be one of the most secure platforms when compared to other open source PHP solutions in the marketplace. Having said that there is always a slight possibility of becoming a victim in the digital sphere therefore it is important that web administrators work towards hardening the security of their Drupal setup on a regular basis.

Here is a list of top security modules that our team of Drupal Developers have created based on years of experience working with this open source CMS.

Security Review-

The module performs automated testing for commonly made mistakes that can lead to your Drupal website’s security becoming compromised. Once installed the module runs a scan and provides you a detailed report of any inconsistencies that it finds. This report can then be used by Drupal developers to manually secure the website in question.

Some of the checks that the module performs include;

  • Safe file system permissions (protecting against arbitrary code execution)
  • Text formats don't allow dangerous tags (protecting against XSS)
  • PHP or Javascript in content (nodes and comments and fields in Drupal 7)
  • Safe error reporting (avoiding information disclosure)
  • Secure private files
  • Only safe upload extensions
  • Large amount of database errors (could be sign of SQLi attempts)


Login Security

Login Security is designed to protect a Drupal website against Brute Force attacks. The module denies access to a user based on their IP address by adding access control features to login forms. Without the use of the module, Drupal core only provides basic access control to a website administrator whereby the user is denied access to the full website.

Some of the main features of this module include;

  • Limit the number of failed login attempts.
  • Allow the website administrator to block an IP address permanently or temporarily.
  • Provide email notifications to website administrators about any unusual activities that may occur on the login form of the website.
  • Disable Drupal core's login error messages in order to avoid showing the reason for not authenticating the user thus making it harder for the hacker to determine whether the account actually exists or not.


Flood Control-
Flood Control is another module that has been design to protect a Drupal setup against Brute Force attacks. The module provides a neat interface that lets a website administrator to perform the following tasks;

  • Set the number of Failed Login IP Limit.
  • Set the duration of Failed Login IP.
  • Set the number of Failed Login Username Limit.
  • Set the duration of Failed Login Username.
  • Set a limit on emails sent by Contact Forms.
  • Set a window (duration) for sending Contact Form emails.


Security Kit-

Security Kit has been designed to protect a Drupal Website against a number of browser (web application) related security vulnerabilities.

Some of the common security issues that the module aims to protect a website against include;

Cross-site Scripting

Content Security Policy implementation via –°ontent-Security-Policy (official name), X-Content-Security-Policy (Firefox and IE) and X-WebKit-CSP (Chrome and Safari) HTTP response headers (configuration page and reporting CSP violations to watchdog)
Control over Internet Explorer / Apple Safari / Google Chrome internal XSS filter via X-XSS-Protection HTTP response header
Fix of Drupal 6 core module Upload issue (Drupal 7 version lacks this option as long as Upload was replaced with FileField module)
Prevent content upsniffing and serving files with incorrect MIME-type via X-Content-Type-Options: nosniff HTTP response header

Cross-site Request Forgery

Handling of Origin HTTP request header


Implementation of X-Frame-Options HTTP response header
JavaScript + CSS + Noscript protection with customizable text for disabled JavaScript message


Implementation of HTTP Strict Transport Security (HSTS) response header, preventing man-in-the-middle and eavesdropping attacks.


Implementation of From-Origin HTTP response header

Secure Login

Secure Login has been specifically created for websites and web applications that use both HTTP and HTTPS across various web pages. This module ensures that the login and other forms are submitted securely via HTTPS, thus preventing passwords and other private user data from being vulnerable.  

Some of the main features of this module include;

  • Locking down the user/login page, the page containing the user login block, and any other forms that the web administrator has set as secure.
  • Securing authenticated session cookies, thus preventing session hijacking by eavesdroppers.

Post by Websites 'N' More (2017-07-31 03:14)

Tags: Drupal Agency Sydney Drupal Developers Sydney Drupal Experts Sydney Drupal Web Developer Sydney

Post your comment:

Name: Email: Site:

| Explore users | New posts | Create your blog | Create your photo album |
| About Postbit | Our blog | Terms of use | Contact Postbit |

Copyright © 2018 -