Serving for millions of websites all over the world, Drupal has become one of most popular publishing tools and content management systems on the web. Due to this tremendous popularity, however, the Drupal powered website has become a major hacking target for attackers. In this case, we have summarized some useful tips telling you how to increase Drupal site security, and have listed them in the following in an easy-to-understand way.
Select a Safe Hosting
Drupal is free and open source, and can work well on web servers supporting PHP and MySQL database. At present, many web hosts include this tool into their hosting packages to attract customers, but not all of them can guarantee a safe and secure environment. Therefore, you’d better choose a reliable hosting company that can reduce vulnerabilities and hacking frequencies by making use of some advanced technologies like SSH, SSL, and firewalls.
To find this kind of company, you can go for some review websites to get the recommendations, or ask for advice from the large and supportive Drupal community.
Keep Everything Updated
Both Drupal core and Drupal modules have to be kept up-to-dated. This is because the standard new releases are only developed and published when the vulnerabilities and loopholes have been detected. Once the new version is out, the hacking patch for the old version is public. This means hackers and attackers can access your site easily if your tool and applications are not the latest releases.
In the case you really forget this important practice, you’d better remove the CHANGELOG.txt file that comes with the installation. Thus, others can hardly know which version of Drupal core and Drupal modules you are using.
Secure Login Operation
The security of login operation is another critical part that webmasters need to pay attention. As a website administrator, you’d better limit the number of invalid login attempts, and ensure the IP addresses trying to crack your password rudely are banned temporarily or permanently.
You can do this by making use of a powerful Drupal module called Login Security. This tool can not only restrict access attempts, but also can notify people via e-mail to help them know when something abnormal is happening with login, such as account information guessing and password brute forcing.
Make Use of CAPTCHA
CAPTCHA refers to Completely Automated Public Turing test to tell Computers and Humans Apart, composing of some random letters and numbers that are coming out automatically for people to enter. It is used to figure out whether the users are human or not. Thus, webmasters can utilize it to block bad submissions from spambots.
Block the Access to Important Files
You can restrict the access to some sensitive files like authorize.php file, upgrade.php file, cron.php file and install.php file via .htaccess. In this case, no one except you can enter the core files of your site to do the harming work. The lines of coding are as following.
Use Strong Passwords
We have emphasized this aspect many times, but again, the utilization of strong passwords is pretty important. Many people use the birthday, phone number, or some simple words as their passwords, but the fact is that hackers can decode these logical combinations easily. Therefore, you’d better use some illogical ones with letters, numbers, and symbols attached randomly. In addition, you can make use of some useful tools that are used to generate passwords well, such as Password Policy.
Utilize Security Modules
In fact, Drupal has a lot of powerful modules that can be used to enhance the security of your Drupal sites. The most related module categories are Security, User Access, and Spam Prevention. You only need to go to Drupal.org to download and install your needed ones to the website, then you can sleep well all the night without worrying your site might be hacked unexpectedly.
Keep Backing Up the Website
If you have adopted all of the methods presented above, then the possibilities of being hacked can reduce largely. However, it doesn’t mean that the probability is zero. After all, as Drupal developers are updating the core uninterruptedly to avoid vulnerabilities, hackers also are coming out new ways to find a loophole. In this case, you’d better keep a habit of backing up your website regularly, let’s say at least twice a week. Thus, if your site has been destroyed, you can back to normal easily with the backing up files. Note that if you have done some critical changes to your site, then create a backup at once