Drupal Website Security Tutorial

Drupal is increasingly gaining some popularity popularity and at the same time it is also becoming a big target for cyber criminals. There are thousands of CMS platforms out there but we should not forget that hackers are really good at what they do so it hardly matters for them what kind of website you run. Hence, to be on a safer side it is imperative for you to secure your website. This tutorial takes us through the guidelines to Improve the Security of your Drupal Website.

You will also want to read:

A Basic Guide to Drupal Website Managemen

 Drupal Website Maintenance tutorial

 Drupal configuration tutorial

 How to Speed Up Your Drupal Website

 How to address "failed Drupal Clean url Test"

 Installing a new Drupal website

Let us now look at these guidelines one after the other:

  • Updating your site regularly
This is one thing which everybody knows but only a few apply it and it make it their practice. The bugs and security issues that were present in the previous version have been fixed in the new one and by updating your Drupal website on a regular basis, you are protecting it well from the hackers. Make sure that whenever the core modules in your Drupal site are released they are always up-to-date to the latest version.

  • Strong admin password
Password is the area where you should put your main focus. Everybody use passwords and they know its value and what crucial part it plays in a website. Still many people commit mistakes by keeping a very generic password which is very easy to predict. This makes the security of your site weak. You should put a very difficult , strong and impossible to predict password. A good way of strengthening your password is by keeping it alpha-numeric along with upper case and lower case text.

  • Change Password Often
Password of your website should be changed in every 90 days, at least once. It is not safe to keep one password for a long time as it reduces the risk of security. Hence, changing password oftenly is a good way to secure your site.

  • Backup
Keeping a backup of your work is always a good practice. Taking a backup of your working site before making any changes to it is a good practice of securing yourself from any future risks. Make sure that your backup is kept locally and not on web servers as keeping it on web servers might increase the security risks of your Drupal site.

  • Restrict Uploading
Drupal consist of a core module called `Upload Module' which enables the users to upload image files. Make sure that you limit the types of files for uploading.
Providing a good experience to the users is a must for you, and this can be done by securing your Drupal site. If your visitors will face security obstacles constantly, they will definitely not return again to your site. Hence, to achieve success in your business it is important for you to secure your website.

You will also want to read:

A Basic Guide to Drupal Website Managemen

 Drupal Website Maintenance tutorial

 Drupal configuration tutorial

 How to Speed Up Your Drupal Website

 How to address "failed Drupal Clean url Test"

 Installing a new Drupal website


How to change your Drupal website password

This section will show you how to change the password for your Drupal website.

First you need to login to your Drupal site before you proceed with the rest of the tutorial.

1) Click the your user account in the top right corner

2) Then click the Edit tab

3) Enter a new password here

4) Then click Save

The password has been successfully changed

That is it. You now know how to change your Drupal password

How to change Drupal admin username

In this section, we will show you how to change the default admin username for your Drupal website. This can be helpful to basic attempts to illegally gain access to your website.

1) Login to your Drupal admin account.

2) Go to the People page.

3) Click the Edit link for the admin account.

4) Enter the new username you wish to use.

5) Click save


How to update your Drupal website version

Keeping your site up-to-date is very important because it helps reduce the possibility of unpatched security vulnerability being used to breach your site.

You can tell you need to update when you see the following notice in your admin dashboard.

update

Begin with a backup.

No matter how you upgrade your site, we HIGHLY recommend that you backup your website before attempting any upgrade process.

Plugins/Modules/Themes

Please be aware that some updates may break plugins, modules and/or themes you have installed. It is recommended that you check to make sure that all the plugins and themes you use are compatible with the new version of Drupal you plan on upgrading too.

How to Upgrade Drupal

We are now going to show you two methods of updating your site.

Web Apps via cPanel

This method requires that you installed Drupal via the Web Apps tool in cPanel.

1) Login to Site Admin

2) Go to the Install & manage Web Apps link from the Web Apps section of the left menu.

3) Click Manage Installed Apps

4) Click the Upgrade link under the version number of the site you wish to

5) Click the Upgrade button when prompted

6) You may be prompted to visit a link after the files have been upgraded. If you are, please click the link and follow the steps located on the page. This is so that the database and other configuration files can be updated.

Once you have followed all the steps on the final page (step 6), your site should be fully updated.

Manuel Update

This method requires basic knowledge of FTP and how to transfer files.

Because of the complicated nature behind manual updates, we recommend following the steps located at drupal website


How to Stop Spam in Drupal

Drupal is a popular software and content management system used for classic website production. Like every other software, Drupal has its downsites, one of which is the issue of spam.

This post will teach you how to deal with this problem. How to overcome spamming issues associated with Drupal.

The following steps will guide you through overcoming this very serious problem in Drupal:

1. Approval features

By default, Drupal has a feature that allows you to either completely block or moderate all user registrations.

Go to Configuration > Account settings. You can set "Who can register accounts" to a couple of useful settings:

        Administrators only: this will block all registrations.

        Visitors, but administrator approval is required: This will require you to manually approve all users.

You will also want to read:

A Basic Guide to Drupal Website Managemen

 Drupal Website Maintenance tutorial

 Drupal configuration tutorial

 How to Speed Up Your Drupal Website

 How to address "failed Drupal Clean url Test"

 Installing a new Drupal website

2. E-mail verification

This feature allows you to require e-mail verification before a user account becomes active. This adds a significant hurdle for spammers. Go to Configuration > Account settings to enable this feature.

3. Block certain user details

If you have a lot of spam registrations, there's a good chance there will be some patterns in the spam user details. For example, you might have a lot of users signing up as "John Smith" or using .ru email addresses.

Certain features with Drupal user_restrictions allows you to block both emails and usernames based on certain patterns.

4. Enable Captchas

Captcha provides easy integration with your Drupal registration forms.

However, Captchas have several problems. They can often be hard for even normal users to see. They are also not good for users with visual disabilities.

5. Block by location

Drupal allows you to black-list or to white-list access to a Drupal site by countries. It's not the most sophisticated technique because determined spammers will find a way around these restrictions, but it will block a lot of low-level spam attempts.

6. Use 3rd party spam tools

There a wide variety of 3rd party systems that try to prevent spam registrations. These are often paid services. We will noe eamine 10 ways that generally help to stop spam in Drupal

10 Ways to Stop Spam in Drupal

Complaints about spam user registrations in Drupal abound. In this tutorial, we show you 10 ways to stop spam registrations in Drupal.

#1. Core approval features

Drupal has a default feature that allows you to either completely block or moderate all user registrations.

Go to Configuration > Account settings. You can set "Who can register accounts" to a couple of useful settings:

    Administrators only: this will block all registrations.
    Visitors, but administrator approval is required: This will require you to manually approve all users.

#2. E-mail verification

Another Drupal core feature allows you to require e-mail verification before a user account becomes active. This add a significant hurdle for spammers. Go to Configuration > Account settings to enable this feature.

https://drupal.org/project/user_verify add some more sophisticated options to the email verification process, including the requirement for the user to enter a special token.

#3. Block certain user details

If you have a lot of spam registrations, there's a good chance there will be some patterns in the spam user details. For example, you might have a lot of users signing up as "John Smith" or using .zu email addresses.

https://drupal.org/project/user_restrictions allows you to block both emails and usernames based on certain patterns. Here's an example which blocks .zu domains:

#4. Captchas

A Captcha presents a visual challenge that is supposed to be difficult for spammers to solve. https://drupal.org/project/captcha provides easy integration with your Drupal registration forms.

However, Captchas have several problems. They can often be hard for even normal users to see. They are also not good for users with visual disabilities.

https://drupal.org/project/riddler is an interesting variation on a captchas. It allows you to ask a question that will probably stump spambots:

#5. Honeypots / Secret form fields

One spam-defeating technique that we've found to be very effective is hidden fields. You add an extra input field to every form and then hide it with CSS. Humans never see the field but spambots do and when they fill in the field the form is discarded.

https://drupal.org/project/spamicide is a module that makes it easy to create hidden fields.

This technique is often called a Honeypot and there's a module with the same name: https://drupal.org/project/honeypot. Click here to read the modules's author explaining the meaning behind the name "Honeypot".

There are some funny variations on this idea. For example, https://drupal.org/project/simpleantispam add a visible checkbox marked "I'm not a spammer" and a hidden checkbox marked "I'm a spammer":

#6. Block by location

http://drupal.org/project/geoblocker allows you to black-list or to white-list access to a Drupal site by countries.

It's not the most sophisticated technique because determined spammers will find a way around these restrictions, but it will block a lot of low-level spam attempts.

Certainly it's worth considering if your site is specifically focused on one location and you have little to no interest in overseas users.

#7. Secret codes

If you have a site without a large audience, you could consider giving out a secret code to potential members.

https://drupal.org/project/mothermayi allows you set a secret code that people must enter in order to register successfully.

#8. 3rd party spam tools

There a wide variety of 3rd party systems that try to prevent spam registrations. These are often paid services. Here are some of the most popular:

    Mollom: https://drupal.org/project/mollom
    Stop Forum Spam: https://drupal.org/project/spambot
    Cloudflare: https://drupal.org/project/cloudflare

#9. Delayed roles

https://drupal.org/project/role_delay is an interesting approach. It allows you to slowly give users more permissions over time.

For example, a brand new user might not be able to post comments or forum posts. Over time they can automatically be moved into Drupal user roles with more permissions.

#10. Warning message

https://drupal.org/project/warning made me smile. Instead of providing a sophisticated technical solution, the Warning module simple tells your users that you won't tolerate spam.

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How to Speed Up Your Drupal Website

Drupal is one the top Content Management Systems used for web designing today. Like every other...

Installing a new Drupal website

This article takes you through how to install or set up a Drupal website on the internet.Step 1:...

Drupal configuration tutorial

To configure basic settings for your Drupal website, you first need to login to your Drupal...

Drupal Website Maintenance tutorial

Managing your Drupal website involves performing a lot of tasks which include securing your...

A Basic Guide to Drupal Website Management

Drupal is a popular content management system with lots of free add-on and features which...

Powered by WHMCompleteSolution