Best Drupal Security Modules

Drupal is the world's third most widely used Content Management System. Like any other major platform such as WordPress and Joomla, Drupal security is also a big concern for business owners. With the increase in Drupal’s popularity, the chances of a Drupal site coming under cyber attack are higher than ever. Thus, you can never take your website’s security for granted. In fact, security is a continuous process that needs your attention at all times. Because the security breach will not only affect your website resources but also put your website reputation at stake.

Also read:Beginner Tips And Tricks For Drupal Websites

Drupal is an extremely powerful system and it has numerous security modules to prevent any breaches. It is good practice to make use of Drupal security modules to the minimize security of your Drupal website. This post takes you through the steps and actions you need to take to boost your Drupal security. We have carefully selected a list of must-have Drupal security modules that will boost your Drupal website security and help you escape any potential cyber-attack. Take a look.

Also read:A Detailed Guide on How to Remove Google Blacklist Warning

Drupal Security Modules

We will consider four categories of Drupal security modules namely:

  1. Authentication modules
  2. Security Review modules
  3. Spam prevention modules and
  4. Update modules

Authentication Modules

1. Login Security

  • Compatibility - Drupal 8 and below.
  • Purpose - This module helps site administrators add restrictions to the login flows in a Drupal site. For instance, one can limit the number of invalid authentication attempts before blocking an account, deny access from specific IPs and so on. It also notifies you over email or through Nagios notifications if the login form is under attack with brute force methods or username/password guessing attempts.
  • Known issues - None.
  • Download

2. Password Policy

  • Compatibility - Drupal 8 and below.
  • Purpose - This Drupal security module can be used to define constraints and rules for setting account passwords. For instance, a site administrator can define a rule stating that all passwords must have one uppercase letter, a number and a special symbol.
  • Known issues - None.
  • Download

3. Two-Factor Authentication

  • Compatibility - Drupal 7 and below.
  • Purpose - This module allows site administrators to define two-factor auth strategies for authentication. It ships with a variety of mechanisms—time-based one-time passwords/PINs, codes delivered over text messages, pre-generated codes and a lot more.
  • Known issues - None.
  • Download

4. Username Enumeration Prevention

  • Compatibility - Drupal 8 and below
  • Purpose - Attackers can try accessing a Drupal website using username enumeration. The idea is to find out if a username exists by entering random usernames; if a username doesn’t exist, Drupal says so. When a username does exist, Drupal displays a message stating that the auth credentials are invalid, thus telling the attacker that a valid username has been found. This module replaces the standard unknown username error message, thus making it impossible for attackers to use this technique successfully.
  • Known issues - There may be usernames included in comments and nodes that this module may not detect—that could lead to a situation where username enumeration can be exploited.
  • Download

5. ACL

  • Compatible versions - Drupal 8.
  • Purpose - This module doesn’t ship with a UI—it’s essentially a set of APIs that allow other modules to create a list of users, and allow them selective access to certain nodes.
  • Known issues - None.
  • Download

6. Content Access

  • Compatibility - Drupal 7 and below.
  • Purpose - This Drupal security module helps you define detailed permissions on specific content types, both by role and by author. You can specify view/edit/delete permissions in a fine-grained manner.
  • Known issues - Since this module uses Drupal’s node API, it’s recommended that you do not install other modules that use the same endpoints. Also, this module isn’t covered by the Drupal security advisory policy.
  • Download

7. Flood Control

  • Compatibility - Drupal 8.
  • Purpose - This module adds a section to the administration UI, for modifying hidden flood control parameters—login attempt limiters among others, for instance.
  • Known issues - None.
  • Download

8. Automated Logout

  • Compatibility - Drupal 8.
  • Purpose - This module allows site administrators to define a policy which automatically logs out users after a specified inactive period. Timeouts can be customized by role, as well as integration with Javascript-based timers.
  • Known issues - None.
  • Download

9. Session Limit

  • Downloads - 58,454
  • Reported installs - 12,240
  • Compatibility - Drupal 8.
  • Purpose - This module helps limit the number of simultaneous sessions allowed for users. Policies can be configured for individual users, as well as for roles.
  • Known issues - None.
  • Download

10. LDAP

  • Compatibility - Drupal 8 and below.
  • Purpose - If your organization uses an LDAP server for authentication/authorization, this module helps you configure Drupal to use the same LDAP credentials for your Drupal site.
  • Known issues - None.
  • Download

11. Google Apps Authentication

  • Compatibility - Drupal 6 and below.
  • Purpose - If you use Google Apps for Business, then this module allows you to use Google App credentials for user authentication and authorization inside Drupal.
  • Known issues - This module isn’t covered by the Drupal security advisory policy.
  • Download


Security Review

1. Security Kit

  • Compatible versions - Drupal 8.
  • Purpose - This module helps site administrators set up various options that help mitigate the exploitative risks of various vulnerabilities. For instance, it can help set up HTTP headers that help check cross-site scripting and forgery, as well as clickjacking and more.
  • Known issues - None.
  • Download

2. Security Review

  • Compatibility - Drupal 8.
  • Purpose - This module automates a lot of tests that help you determine if your site is vulnerable to a lot of traditional attack vectors. It runs tests to check for XSS exploits, the presence of PHP or Javascript in content nodes, arbitrary PHP execution, SQL injection attacks and a lot more.
  • Known issues - while the module covers a lot of ground, the checks provided by this module don’t necessarily mean your site is completely locked down and secure.
  • Download

3. Paranoia

  • Compatible versions - Drupal 7 and below.
  • Purpose - Aptly named, this module tries to identify all the places where a user can evaluate arbitrary PHP code, and then goes ahead and blocks it. It helps reduce the chances of an attacker gaining elevated permissions to a Drupal site.
  • Known issues - None.
  • Download

4. Coder

  • Compatible versions - Drupal 8 and below.
  • Purpose - Coder checks your Drupal code and identifies places where best practices aren’t being followed. It must be noted that Coder is more of a command-line tool, with IDE support.
  • Known issues - None.
  • Download

5. Secure Pages Hijack Prevention

  • Compatible versions - Drupal 7 and below.
  • Purpose - This module helps prevent hijacked sessions from accessing pages that are SSL-enabled, while allowing users to stay authenticated while they’re browsing non-SSL pages.
  • Known issues - This module isn’t covered by the Drupal security advisory policy.
  • Download


Spam Prevention

1. Captcha

  • Compatible versions - Drupal and below.
  • Purpose - The age-old Captcha system is one of the best methods with which to secure submission forms of any kind from spambots. This module helps site administrators to include Captcha support with any kind of form, on their Drupal website.
  • Known issues - None.
  • Download

2. SpamSpan

  • Compatible versions - Drupal 8 and below.
  • Purpose - The SpamSpan module obfuscates email addresses, to prevent spambots from collecting them. The advantage of using SpamSpan is that it uses Javascript for obfuscation, which helps with accessibility.
  • Known issues - None.
  • Download

3. Block Anonymous Links

  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - Most spam comments contain links, and most spambots don’t register on sites they’re out to spam. This module goes ahead and blocks links on anonymous comments.
  • Known issues - None.
  • Download



Drupal Core Update module

  • Downloads - NA
  • Reported installs - NA
  • Compatible versions - NA
  • Purpose - One of the best ways of ensuring your Drupal site is always protected is to make sure updates to the Drupal core are installed regularly. These updates can contain either security patches or incremental upgrades. This is a core module, and its importance can’t be overstated when it comes to making sure your Drupal site is well-maintained, and in sync with Drupal’s codebase.
  • Known issues - None.
  • Information


Additionally, Keep to These Security Measures

1. Update Drupal and Modules

Always keep your version of Drupal and your modules up to date. Developers patch these for a reason and if you fail to keep up with the most recent updates, you will open yourself up to a lot of vulnerabilities, as hackers generally target older software versions. Such as the attack in October 2014 in which millions of Drupal websites were affected. You can always download the latest version of Drupal from

  1. To run updates, navigate to “Reports” → “Available Updates.”
  2. You can then click on “Check manually” to scan for additional updates.

It is also recommended to only use trusted Drupal modules and themes. Get your modules and themes from the Drupal repository or from well-known companies. This will cause less problems for you in the future.

If you are installing Drupal for the first time you might see a warning about problems with your Drupal installation, referring to your “Trusted Host Settings” not being enabled.

As of January 2015, Drupal 8 supports trusted host patterns, where you can (and should) specify a set of regular expressions that the domains on incoming requests must match. Example configuration in settings.php would read:

$settings['trusted_host_patterns'] = array(

Remember to always maintain a back up of your website before you run updates! If you maintain regular backups this allows you to easily rollback if anything goes wrong and you are unable to rovide a fix. The alternative is to test your updates locally using software like XAMPP or MAMP.

There is also a very popular free backup and migrate module available for Drupal. This module can do the following:

  • Backup/Restore multiple MySQL databases and code
  • Backup of files directory is built into this version
  • Add a note to backup files
  • Smart delete options make it easier to manage backup files
  • Backup to FTP/S3/Email or
  • Drush integration
  • Multiple backup schedules
  • AES encryption for backups

Note: this module is currently being ported to Drupal 8. If you run earlier versions, we recommend simply exporting your MySQL database and backing up files manually.

2. Use Smart Usernames and Passwords

Don’t use “admin” as your username and choose a complex password whish will include capital letters, special characters, number, small letters and not less than eight digits. This is probably one of the best ways to harden your Drupal security, and ironically it is one of the easiest. However many people use something they can easily remember such as “1234567” and end up regretting later when they are caught with a brute-force attack. Remember there are bots constantly crawling the internet and as your site grows they will always be trying to spoof your login.

Approximately 76 percent of attacks on corporate networks involved weak passwords. - Appliedi

The good thing about Drupal is that it lets you update your administrator’s username from the dashboard. Follow these quick steps.

  1. Click into the “People” → “Edit” next to your administrator account.

  2. Then simply change the value in the “Username” field and click “Save.”

We also recommend using a free program like KeePass or KeePassX which allow you to generate secure passwords and store them in a database locally on your computer.

3. Use Drupal Security Modules

There are lots of Drupal security modules which will lock down your site and help protect you from brute-force attacks. These plugins allow you to block malicious networks, rate limit or block security threats, enforce strong passwords, scan for vulnerabilities, see which files have changed, implement a firewall to block common security threats, monitor DNS changes, and much more. We have earlier examined a lot of Drupal security modules you will always find useful and we will once again list a few:

  • Login Security: Limit number of login attempts and deny access by IP address.
  • ACL: Access control lists for access to nodes.
  • Password policy: Define more security password policies for users.
  • Captcha: Block form submissions from spambots/scripts.
  • Automated Logout: Allows administrator ability to log out users after specified time period.
  • Session Limit: Limit the number of simultaneous sessions per user.
  • Content Access: Permissions for content types by role and author.
  • Coder: Checks your Drupal code against coding standard and best practices.
  • SpamSpan filter: Obfuscates email address to help prevent spambots from collecting them.
  • Hacked!: Check to see if there have been changes to Drupal core or themes.

You can also scan your site with Sucuri’s Website Malware and Security Scanner and Unmask Parasites. If the test doesn’t show any threats, it does not guarantee your website is completely secure, it just shows that the site poses no immediate threat to visitors.

4. Block Bad Bots

There are always bad bots, scrapers, and crawlers hitting your Drupal sites and stealing your bandwidth. See a comprehensive list of bots at botreports. Many of the security modules mentioned above can work great to block bad bots, but sometimes you might need to do this at the server level. If you wanted to block multiple User-Agent strings at once, you could add the following to your .htaccess file.

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(agent1|Wget|Catall Spider).*$ [NC]
RewriteRule .* - [F,L]

Or you can also use the BrowserMatchNoCase directive like this:

BrowserMatchNoCase "agent1" bots
BrowserMatchNoCase "Wget" bots
BrowserMatchNoCase "Catall Spider" bots

Order Allow,Deny
Allow from ALL
Deny from env=bots

And here is an example on Nginx.

if ($http_user_agent ~ (agent1|Wget|Catall Spider) ) {
    return 403;

5. Always Use Secure Connections

No matter where you are you should always trying to ensure the connections you are using are secure. You should use SFTP encryption if your web host provides it, or SSH. If you are using an FTP client the default port for SFTP is usually 22.

Note: Some FTP clients store passwords encoded or even in plain text on your computer. Even some encoded passwords can be converted back to the original. We recommend not saving FTP passwords in the client, or setting up what some call a master password.

It is also important to make sure your firewall rules are setup properly on your home router. And remember whenever you work from a public place like an internet cafe or Starbucks these are not trusted networks.

Your web host where your website resides should also be running secured hosting. This means they should be running up to date and supported versions of PHP, MySQL, account isolation, web application firewalls, etc. Be careful with cheap shared hosts as you can run into issues if they are overcrowding servers and sharing IPs.

6. Check File Permissions

To protect your website you want to make sure you are using the correct file permissions. Each directory and file has different permissions which allow people to read, write and modify them. If your permissions are too loose this could open up a door for an intruder and if they are too restrictive this could break your Drupal install as modules and Drupal core needs to be able to write to certain directories.

Drupal has good documentation on securing file permissions and ownership.

7. Block Access to Important Files

You can restrict the access to some sensitive files like authorize.php file, upgrade.php file, cron.php file and install.php file via .htaccess. This way no one except you can enter the core files of your site. See example below.

<FilesMatch "(authorize|cron|install|upgrade)\.php">
    Order deny, allow
    deny from all
    Allow from

8. Database Security

Not only do you need to check permissions on your files and block access to important files, but there are also things you can do to harden the security on your Drupal database. The first thing we recommend is using a different table prefix. If you change this to something like x3sdf_ it will make it much harder to guess by an intruder and help prevent SQL injections.

You can change your table prefix on the setup screen when you are installing Drupal. On the set up database step, simply click on “Advanced Options” to see host, port number and table name prefix.

If you already have Drupal installed you can change the database prefix via phpMyAdmin. The second recommendation would be to change your database name to make it harder to guess. Especially if you named your database

9. SSL Certificate

If you aren’t running over an HTTPS connection your username and password are sent in clear text over the internet. Many people will argue that blogs and informational sites don’t need to be running on HTTPS, but how important are your login credentials? Also, many sites have multiple authors logging in from all sorts of different networks, so running over a secured connection can only help harden your Drupal security.

With the SEO advantages of HTTPs and performance benefits of HTTP/2 there is no reason not to be using an SSL certificate.

10. Harden HTTP Security Headers

HTTP security headers provide yet another layer of security for your Drupal site by helping to mitigate attacks and security vulnerabilities. They usually only require a small configuration change on your web server. These headers tell your browser how to behave when handling your site’s content. Below are six common HTTP security headers we recommend implementing and or updating.

  • Content-Security Policy
  • X-XSS-Protection
  • Strict-Transport-Security
  • X-Frame-Options
  • Public-Key-Pins
  • X-Content-Type


These were some of the Drupal security advantages you will gain with Drupal Modules. We further looked at some of the security measures you should be implementing to secure your Drupal website. Since security is a crucial and ver important, you need to constantly check for possible security threats. We have listed our best Drupal security modules, but there are plenty of other Drupal security modules available for you to make use of.

Hope you enjoyed reading. Let us have your feedba in the comment box below.

Comments (0)

Leave a comment

Powered by Simple Blog