7 Drupal security best practices

1. Use the latest version

Organizations that host Drupal in private or public data centers should always run the latest version of the platform and its modules because these versions include the latest security patches. Additionally, because Drupal is open source and widely used, hackers may have advanced knowledge of vulnerabilities they can exploit against organizations.

Admins should frequently check their Drupal admin interface and review the reports on the portal to identify whether updates are available for the current version.

2. Back up websites regularly

A Drupal website backup requires admins to create copies of their site's database and files to prevent data loss. Admins should perform backups regularly and establish a policy that requires the organization to retain several copies of the backups on-site and off-site.

Cybersecurity tools, like Acronis or custom scripts, can help admins automate this process. Organizations that require a more in-depth disaster recovery plan can use data backup tools, such as Veeam or Rsync, to protect server configuration and settings.

3. Secure file permissions

File permissions dictate who can read, write or execute files on a server. Admins must set and configure these permissions correctly to protect content from unauthorized access.

Ideally, admins should set these permissions right after the installation and configuration to avoid functionality issues. If they wait, any changes to file permissions can block critical Drupal features.

4. Enable two-factor authentication

Two-factor authentication, a type of multifactor authentication, adds a layer of security that requires users to verify their identity through two methods, such as a password, physical token or one-time code sent to their phones.

Drupal admins should install the two-factor authentication module in the platform to enforce its use within the web portals and apply it to both end users and admins.

5. Limit user roles and secure permissions

For both user and admin permissions, Drupal admins must implement a data governance policy to ensure users can only access files they need. This security measure requires strategic planning and clear policies to avoid excessive permissions, or giving users access beyond what they need to do their jobs. Overpermissioned accounts can lead to accidental changes and data breaches.

6. Monitor logs for suspicious activity

Like many other platforms, Drupal offers logs that record site activities, such as login attempts, configuration changes and errors. Admins can check these logs for abnormal behavior and possible unauthorized access attempts, including failed logins, unauthorized administrative changes, and access from unsafe and external IP addresses. These logs can help admins identify vulnerabilities and improve their site's overall security posture.

Several security monitoring tools in the marketplace, like Watchdog and Splunk, offer real-time alerts based on predefined or custom rules.

7. Deploy SSL for the intranet

Admins can sometimes overlook or ignore the server's HTTP traffic, which refers to the communication between a web browser and a server. So, admins should use an SSL certificate to encrypt all authentication and data access between the end user's browser and the web server. This practice prevents bad actors from intercepting data during transmission.

Reda Chouffani runs a consulting practice he co-founded, Biz Technology Solutions Inc., and is CTO at New Charter Technologies. He is a technology consultant with a focus on healthcare and manufacturing, cloud expert and business intelligence architect who helps enterprises make the best use of technology.