18 best Drupal contributed modules to enhance security

Drupal is famous for its security when compared with other open source Content Manage system. Drupal ensuring its security with a highly skilled dedicated Security team that releases security updates and patches regularly.

Making your Drupal core up to date with all security updates is the first thing that each developer will do to ensure the security of a Drupal website

Apart from  core modules update, you should also need to install and configure contributed modules to ensure the security of your Drupal website.

Here in this article, I will explain important contributed modules for security,  based on their functionality.

We can broadly classify security-related modules in to below categories.

  1. Modules for Login/registration form and other forms security
  2. Modules for Security checks/suggestions
  3. Modules for Encryption/decryption
  4. Modules for Content security
  5. Modules for Blocking IP
  6. Modules for Coding standard

1.Modules for Secure Login/registration form and other forms

In this section, we are going to discuss modules that will ensure the security of various forms on your Drupal website. Drupal has its built forms such as login and registration forms, also Drupal has modules like web forms and other custom forms that collect data and used for various purposes. Since these forms accept data, these pages are targeted by attackers to gain control over the entire Drupal system.

Most of the security threats in forms will be like cross-site scripting, SQL injection, brute force attack, etc.

So most of the modules in the Drupal community comes under this category, see below modules based on their importance.

       Module: captcha

      purpose: CAPTCHA is a challenge-response test most often placed within web forms to determine whether the user is human. Both text and image-based challenges are available. It can be used with all types of forms.Configuration at the backend allows enabling CAPTCHA for login and registration forms without coding.

      Threat Prevention: preventing spam submission to forms.

       Link  https://www.drupal.org/project/captcha

     Version available –  Drupal 8 and lower


     Module :Recaptcha

Purpose: provide Google Recaptcha services. Google reCaptcha is a strong image based captcha system and can be applied to any form in Drupal.

     Threat Prevention :  preventing spam submission to forms


     Module –  Login History

     Purpose – this  module stores additional login information’s such as timestamp, IP address, user agent information, and whether or not the login was via a reset password link. Also provides various types of  login reports.

     Threat prevention  – spam prevention


     Module–  Login Security

     Purpose – Providing security to the login form by access control features to login form block by denying  access  to particular IP’s. Also limit number of invalid login attempts.

    Threat prevention – you can prevent password and account guessing, brute force login attempts, or unexpected behavior with the login operation.

    Link : https://www.drupal.org/project/login_security

    Module – Username Enumeration Prevention

    Purpose –prevent anonymous users identifying valid usernames on a Drupal site. usually, malicious actors get user name from password reset form where by default Drupal shows usernames with a validation message. This will help attackers to get valid usernames in the system

   Threat prevention: prevent Username enumeration technique used by malicious actors to identify valid usernames on a web application.

   Link: https://www.drupal.org/project/username_enumeration_prevention

   Module: Password Policy

   Purpose: Enforce restrictions and policies while creating or updating user passwords. This module includes multiple policies like preventing username in password , forcing a combination of numbers and letters in the password, and force users to update password after a particular period. A lot of other options are available in the configuration.

Read this article to see how to configure Password policy module.

   Threat prevention:  To prevent brute-force attacks by guessing user passwords.

   Link: https://www.drupal.org/project/password_policy

   Module : Two-factor Authentication (TFA)

   Purpose: This module provides additional authentication apart from username and password. After entering username and password , next a text box will appear for entering verification code , verification code would have been sent to users mobile phone or email id. Users are only allowed to enter after successfully verifying this code.

   Threat prevention:  To prevent brute-force attacks.

  Link: https://www.drupal.org/project/tfa

Read this article to see how to configure TFA with Google authenticator App.

   Module : Session Limit

   Purpose: allows administrators to limit the number of simultaneous sessions per user. This module will force the user to log out any extra sessions after they exceed the administrator-defined maximum.

   Link: https://www.drupal.org/project/session_limit

   Module: Automated Logout

   Purpose:  make users log out after a specific time of inactivity.

   Link: https://www.drupal.org/project/autologout

2.Modules for Security checks/suggestions

In this group of modules  site administrator will get a report of the potential security flaw in the system. Also these modules provide various security hardening options.  See below modules that come under this category.

       Module: Security Review

       Purpose: Provide a report of various security flaws in the system. These may be because poor coding standards or may be done by some attackers who have access to the physical files of Drupal instance. Around 14 types of checks are done throughout your website.

      Threat prevention:  This module does not automatically make changes to your site. You should use the results of the checklist and its resources to manually secure your site. This module provided possible places of occurrence of below threats in your Drupal system.

  • arbitrary code execution
  • cross-site scripting
  • avoiding information disclosure
  • brute-force attack
  • access misconfiguration
  • Password included in user emails
  • arbitrary code execution
  • phishing attempts


    Link: https://www.drupal.org/project/security_review

    Module: Security Kit

    Purpose: SecKit provides Drupal with various security-hardening options.

    Link: https://www.drupal.org/project/seckit

3.Modules for Encryption and Decryption

Most of the developers keep API  credentials and other confidential data in hardcoded PHP variables. This will create a security flow where anybody who got access to the files can steal the passwords and credentials. There are below modules that can help you to encrypt and decrypt those credentials.

Module: Encrypt

Purpose: provides an application programming interface (API) for performing symmetric or asymmetric encryption. It allows integrating modules to encrypt and decrypt data in a standardized manner. This module only provides configurations and interface for creating encryption profiles. You have to do this with other modules.

Threat prevention:  Information disclosure

Link: https://www.drupal.org/project/encrypt

You can see this article for usage encrypt module in two factor authentication module.

You can see also this article to see how we are using the service provided by this module , than can be used in your custom modules or anywhere in your Drupal code.

Module:  File Encrypt

Purpose: module allows you to encrypt files uploaded via Drupal using the Encrypt and Key modules. When encrypted files are requested, they will be decrypted automatically.

Threat prevention: information and file disclosure.

Link: https://www.drupal.org/project/file_encrypt

You can read steps  to configure in this article https://www.daggerhart.com/how-to-encrypt-field-data-drupal-8/

4.Content security

Modules under this category provide configurations to limit access of nodes and content types based on roles.

Module: Content Access

Purpose:  Manage access to content types. manage permissions for content types by role and author. It allows you to specify a custom view, edit and delete permissions for each content type.

Threat prevention: information disclosure and unauthorized access

               Link: https://www.drupal.org/project/content_access

Module: ACL (Access control List)

Purpose: provides API for other modules to create lists of users and give them access to nodes. It has no UI of its own and will not do anything by itself; install this module only if some other module tells you.

             Threat prevention: information disclosure and unauthorized access

             Link: https://www.drupal.org/project/acl

5.Modules to Block IP

there are many users who hit the website with malicious intent. So webmasters need to block these IP’s from accessing the system. We are here discussing Autban module which is used for this purpose.

Module: Automatic IP ban (Autoban)

Purpose: Autoban allows to automatize IP ban using watchdog table by the module rules. Need enable Database logging module (core) and at least one IP Ban Providers submodule: Autoban Core Ban (integrated with core Ban module) and/or Autoban Advanced Ban.

Link: https://www.drupal.org/project/autoban

6.Modules for Coding standard

Most of the cases developers make loopholes for attackers without following Drupal coding standards. We are discussing few modules using which we can identify coding mistakes.

              Module: Coder (used as a command-line tool)

              Purpose: Coder checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations for you with the phpcbf command from PHP_CodeSniffer

              Link: https://www.drupal.org/project/coder

             Module: Paranoia

             Purpose: The Paranoia module attempts to identify all the places that a user can evaluate PHP via Drupal’s web interface and then block those. It reduces the potential impact of an attacker gaining elevated permission on a Drupal site.

Link: https://www.drupal.org/project/PARANOIA


Here we have discussed major security modules and categorized them based on the area where they are using in Drupal. I have listed only Drupal 8 modules. There are other modules that are dependent on the modules listed above. Using these modules we can ensure more security.

Get Free E-book
Get a free Ebook on Drupal 8 -theme tutorial
I agree to have my personal information transfered to MailChimp ( more information )
if you like this article Buy me a Coffee this will be an ispiration for me to write articles like this.

You may also like...