Essential Drupal security modules
We, at Drop Guard, are extremely concerned about all things Drupal security. Security is not something that can be taken for granted after ordering a security review, or passing through a "security checklist", or even after switching to Drop Guard for updates handling. We should always remember that security is a continuous process, and it consists of numerous bits and pieces requiring your attention all the time.
Luckily enough, Drupal is a highly modular system, and instead of reinventing the wheel we can take advantage of the existing and battle tested solutions which are aimed at helping us with ensuring the continuous security for our applications.
We've collected the essential security-related modules in our view, and split them into two categories - passive (designed to monitor and provide information) and proactive (designed to take action or make changes to application configuration to ensure stronger security).
1. Security Review
The Security Review module automates testing for many of the easy-to-make mistakes that render your site insecure.
It contains more than a dozen of useful checks, such as file system and Drupal permissions, failed logins attempts logging, arbitrary PHP execution prevention, exposing sensitive information to the outside world and others.
It's the ultimate reporting tool which should be used on any development website before going to production, and you should make a habit of doing Security Review checks at least once in several months. It's up to you, however, whether to keep this module enabled all the time or not, depending on how often you change the environment.
This module scans the currently installed Drupal, contributed modules and themes, re-downloads them and determines if they have been changed by comparing your version with the pristine version from Drupal.org.
While this module may not be necessary for the Drop Guard protected websites (as it has the modifications detection built-in) it's an invaluable weapon against the unwanted code changes, made by a malicious intruder or a careless developer.
You may wonder why the Coder module is on our list, as it is not directly related to security and widely considered more of a "coding standards" tool.
That's true - it checks the Drupal code against the standards and can fix coding standard violations. However, it can also help to find SQL injection vulnerabilities and access bypass problems.
Definitely a must, especially in conjunction or as a part of the automated testing suite used in your project.
1. Security Kit
SecKit provides Drupal with various security-hardening options. This lets you mitigate the risks of exploitation of different web application vulnerabilities, such as Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Clickjacking and a handful of others. Be aware, though, that the browsers support may be limited, and you should know what are you doing before applying any changes with this module. If unsure, check the documentation first.
2. Password policy
This module provides a way to enforce restrictions on user passwords by defining password policies.
It does a lot of stuff related to the passwords handling, and the configuration options are limitless.
Why it's important? Many vulnerabilities for Drupal usually require some authenticated access to be exploited, and if your editors or regular users can create the "12345" type of passwords, the risks of being compromised become extremely high.
The Paranoia module automatically detects all the places in your application that allow users to evaluate PHP and then blocks it. In this way, it prevents the potential attack by an attacker who can evaluate PHP code to gain access to Drupal website.
Just imagine you have a huge site, and one of the developers decides to take a shortcut by silently inserting a piece of PHP to control the visibility, permissions, or just to enable some fancy logic. Depending on your situation, this case may become unnoticed, and you will end up with a PHP code in the database, and PHP filter enabled.
So unless you're the only one maintaining a project or the team is extremely skilled and always sticks to best practices, we recommend to give this module a try.
PS. Yes, we're aware of hundreds of thousands of websites using Views PHP and modules alike, but we still think there is no excuse for using them.
Encrypt is a Drupal module that provides an application programming interface (API) for performing two-way data encryption. This is useful for storing sensitive information.
Encrypt and the dependent modules are valuable in cases where you have to store the sensitive data and don't want it to be exposed in any way, sometimes even to your fellow developers. This way it is possible to encrypt IP addresses, emails, password hashes, Form API data and so on. In case someone obtains the full or partial database dump, the data stored there will be completely useless if the key is missing.
Key module allows to mitigate the problem of storing keys on the same server where Drupal is installed. It acts as the bridge between the various encryption/API modules and an external key manager. With this module, you can specify where and how your keys are stored.
There is also a chance both Key and Encryption suits will no longer be necessary, provided that password-based public-key encryption project will be a part of Drupal 8 core. We are very curious about it!
PS. Thank you, dear readers, for support and valuable feedback!
Anything we've forgot about? A useful module you want to share? Let us know in the comments!