Drupal is known for its strong security, but only if you configure and maintain it correctly. In this guide, we cover all essential security measures to protect your Drupal website from attacks.

Why Drupal Security is Important

Drupal is used by governments and large organizations precisely because of its good security. But every website is a potential target:

• Hackers look for vulnerabilities
• Malware can infect visitors
• Data can be stolen
• Your site can be misused for spam

With the right measures, you can prevent 95% of all attacks.

Updates as the First Line of Defense

Updates are the most important security measure for Drupal.

Follow Security Advisories

Drupal publishes security updates at regular intervals:

1. Follow the Drupal Security Team
2. Subscribe to security notifications
3. Security releases come on Wednesdays
4. Critical updates are announced immediately

Update Drupal Core

Always keep the core up-to-date:

1. Go to Reports and then Available updates
2. You will see available updates
3. Security updates have a red label
4. First, make a backup
5. Execute the update

Via Composer (recommended):

# Check available updates
composer outdated drupal/*
# Update Drupal core
composer update drupal/core-recommended drupal/core-composer-scaffold --with-all-dependencies
# Execute database updates
drush updatedb
drush cache:rebuild

Update Modules

Modules can also have security vulnerabilities:

1. Go to Reports and then Available updates
2. Check the Security updates only tab
3. Update modules with security issues first

# Update all modules
composer update drupal/*
# Update specific module
composer update drupal/webform

Strong Passwords and Authentication

Weak passwords are a common vulnerability.

Set Password Policy

1. Go to Configuration and then People
2. Click on Account settings
3. Configure password requirements:
• Minimum length
• Required characters (uppercase, numbers, special characters)
4. Save the settings

Password Policy Module

For more extensive policy:

composer require drupal/password_policy

Configure rules for:

• Minimum password length (12+ characters)
• Required character types
• Password history
• Expiration date

Two-factor Authentication

Add an extra layer of security:

composer require drupal/tfa

Configuration:

1. Go to Configuration and then TFA
2. Choose authentication method (TOTP, recovery codes)
3. Require 2FA for administrators
4. Users set it up via their profile

Limit User Permissions

The principle of least privilege is essential.

Review Roles

1. Go to People and then Permissions
2. Check each role for unnecessary permissions
3. Remove permissions that are not needed
4. Pay special attention to:
• Content management permissions
• Admin permissions
• PHP execution permissions

No PHP in Content

The PHP Filter module has been removed from Drupal 8+ for good reasons. Never install this. Instead, use:

• Custom modules for dynamic functionality
• Twig templates for rendering

Limit Admin Accounts

1. Minimize the number of admin accounts
2. Use specific roles instead of full admin
3. Regularly review who has what access

File Permissions and Server Security

Correct file permissions prevent many attacks.

Recommended Permissions

Drupal requires specific permissions:

# Directories: 755
find /path/to/drupal -type d -exec chmod 755 {} \;
# Files: 644
find /path/to/drupal -type f -exec chmod 644 {} \;
# sites/default/files writable
chmod 755 sites/default/files
# settings.php readonly
chmod 444 sites/default/settings.php

Secure settings.php

After installation, settings.php should be readonly:

chmod 444 sites/default/settings.php
chmod 555 sites/default

Trusted Host Settings

Configure which hostnames are valid in settings.php:

$settings['trusted_host_patterns'] = [
  '^www\.yourdomain\.nl$',
  '^yourdomain\.nl$',
];

This prevents host header attacks.

Configure SSL/HTTPS

All Drupal sites must use HTTPS.

Activate SSL

At Theory7 hosting, SSL is available for free:

1. Activate Let's Encrypt in DirectAdmin
2. Wait for the certificate to be created
3. Test if HTTPS works

Force HTTPS

Force HTTPS via .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Or via settings.php:

$settings['https'] = TRUE;

Secure Cookies

Ensure cookies are only sent over HTTPS:

// In settings.php
ini_set('session.cookie_secure', 1);

Install Security Modules

Additional modules strengthen your security.

Security Kit

composer require drupal/seckit

Configures:

• Content Security Policy (CSP)
• Clickjacking protection
• Cross-site scripting (XSS) prevention

Honeypot

Protects against spam bots:

composer require drupal/honeypot

Adds invisible fields that bots fill in, legitimate users do not.

Flood Control

Protects against brute force attacks:

composer require drupal/flood_control

Configure limits for:

• Login attempts per IP
• Login attempts per account
• Contact form submissions

reCAPTCHA

Protects forms against bots:

composer require drupal/recaptcha

Configure with your Google reCAPTCHA keys.

Monitoring and Logging

Quickly detect issues through good monitoring.

View Drupal Logs

1. Go to Reports and then Recent log messages
2. Filter by severity level
3. Watch for repeated errors
4. Check for suspicious activity

Configure Database Logging

1. Go to Configuration and then Development
2. Click on Logging and errors
3. Set how many messages are retained
4. Log errors to syslog for permanent storage

External Monitoring

Consider external monitoring for:

• Uptime monitoring
• Security scans
• Performance metrics
• SSL certificate expiration

Backup Strategy

Backups are your last line of defense.

Backup and Migrate Module

composer require drupal/backup_migrate

Configure:

1. Automatic daily backups
2. Storage at an external location
3. Keep multiple versions
4. Regularly test restoration

DirectAdmin Backups

Combine with DirectAdmin backups for extra security.

Security Checklist

Regularly check:

• Drupal core and modules up-to-date
• Strong passwords for all accounts
• Two-factor authentication for admins
• Minimum permissions per role
• File permissions correct
• HTTPS active and enforced
• Security modules installed
• Logging active
• Backups working

Related Articles

• Drupal backup and migration
• Drupal basic configuration
• Drupal modules and themes
• More information about Drupal hosting at Theory7

Need Help?

We are here for you! Are you facing any issues or do you have questions? Our support team is happy to assist you personally. Send us a message via the ticket system - we usually respond within a few hours and are happy to help.