How to improve and manage the security of our site in Drupal
At the beginning of creating a site, we must be aware of how secure the tool we are going to work with is. Drupal, as a content management tool, can be said to be quite secure, but it does not always depend solely on the tool we use. It is essential to keep your site updated as updates are the main cause of security breaches that occur. As the site administrator, there are a series of essential tasks to perform. Drupal itself offers us a series of configuration tips once the tool is installed:
Prevent visitors from being able to create their own user accounts. In case we want to allow users to create their own accounts, through Administration> Configuration> Users, select the option 'Visitors, but approval of administrators is required'. The site administrator will be the one to activate the account after receiving the request.
Protect the first user created UID=1, and to whom administration permissions are given along with special permissions. Never name this user as admin or administrator, as it will be the first option a potential intruder will take to carry out an attack. We can also deactivate it so that it cannot be used by using Drush or the contributed module Paranoia, advanced knowledge in Drupal is required.
Ensure that different roles have only the permissions strictly necessary. Drupal allows us to manage user role permissions with great precision so that we can control what a particular user can do within our site.
Keep the site always updated and pay attention to the security advisories from the Drupal security team.
Activate and deactivate the Testing module (simpletest) after use as it can be used to inject malicious code.
On the other hand, Drupal offers us a series of modules with extra or specific security functionalities for our installation.
A captcha is a manual action required of the user to verify that it is not being carried out by a machine. It serves to protect mainly the different types of forms on our site against spam.
The most downloaded and used by far is reCAPTCHA, with which we can insert Google reCAPTCHA on our site. Its installation is quite simple, although it is necessary to have a Google account.
Allows configuring the maximum number of attempts a user can make to log in to our site, blocking certain accounts by user or IP temporarily or permanently. It also allows configuring it to send us notifications when a user who has been blocked or is trying to access repeatedly with different combinations of username and password.
Allows determining the number of characters user passwords must have (minimum and maximum), if there must be any uppercase letters or special characters, etc. establish a period of time after which the user or group of users must change the password.
- Character types.
- Digits.
- Letters.
- Letters / Digits (Alphanumeric).
- Length.
- Uppercase.
- Lowercase.
- Punctuation.
- Location of digits.
Security Kit is a very comprehensive module that offers us a wide variety of configuration options to protect our site from a wide variety of attacks and thus improve security, although most of them require us to know what we are doing as they can affect the performance of our site. (Cross-Site Scripting, Cross-Site Request Forgery, Clickjacking and configure some SSL/TLS connection options).
It allows the site administrator to determine the user's idle time after which to log out. It allows setting different idle times depending on the user's role and even not logging out of a specific role, such as administrator.