18 best Drupal contributed modules to enhance security
Drupal is famous for its security when compared with other open source Content Manage system. Drupal ensuring its security with a highly skilled dedicated Security team that releases security updates and patches regularly.
Making your Drupal core up to date with all security updates is the first thing that each developer will do to ensure the security of a Drupal website
Apart from core modules update, you should also need to install and configure contributed modules to ensure the security of your Drupal website.
Here in this article, I will explain important contributed modules for security, based on their functionality.
We can broadly classify security-related modules in to below categories.
- Modules for Login/registration form and other forms security
- Modules for Security checks/suggestions
- Modules for Encryption/decryption
- Modules for Content security
- Modules for Blocking IP
- Modules for Coding standard
1.Modules for Secure Login/registration form and other forms
In this section, we are going to discuss modules that will ensure the security of various forms on your Drupal website. Drupal has its built forms such as login and registration forms, also Drupal has modules like web forms and other custom forms that collect data and used for various purposes. Since these forms accept data, these pages are targeted by attackers to gain control over the entire Drupal system.
Most of the security threats in forms will be like cross-site scripting, SQL injection, brute force attack, etc.
So most of the modules in the Drupal community comes under this category, see below modules based on their importance.
purpose: CAPTCHA is a challenge-response test most often placed within web forms to determine whether the user is human. Both text and image-based challenges are available. It can be used with all types of forms.Configuration at the backend allows enabling CAPTCHA for login and registration forms without coding.
Threat Prevention: preventing spam submission to forms.
Version available – Drupal 8 and lower
Purpose: provide Google Recaptcha services. Google reCaptcha is a strong image based captcha system and can be applied to any form in Drupal.
Threat Prevention : preventing spam submission to forms
Link – https://www.drupal.org/project/recaptcha
Module – Login History
Purpose – this module stores additional login information’s such as timestamp, IP address, user agent information, and whether or not the login was via a reset password link. Also provides various types of login reports.
Threat prevention – spam prevention
Link – https://www.drupal.org/project/login_history
Module– Login Security
Purpose – Providing security to the login form by access control features to login form block by denying access to particular IP’s. Also limit number of invalid login attempts.
Threat prevention – you can prevent password and account guessing, brute force login attempts, or unexpected behavior with the login operation.
Link : https://www.drupal.org/project/login_security
Module – Username Enumeration Prevention
Purpose –prevent anonymous users identifying valid usernames on a Drupal site. usually, malicious actors get user name from password reset form where by default Drupal shows usernames with a validation message. This will help attackers to get valid usernames in the system
Threat prevention: prevent Username enumeration technique used by malicious actors to identify valid usernames on a web application.
Module: Password Policy
Purpose: Enforce restrictions and policies while creating or updating user passwords. This module includes multiple policies like preventing username in password , forcing a combination of numbers and letters in the password, and force users to update password after a particular period. A lot of other options are available in the configuration.
Read this article to see how to configure Password policy module.
Threat prevention: To prevent brute-force attacks by guessing user passwords.
Module : Two-factor Authentication (TFA)
Purpose: This module provides additional authentication apart from username and password. After entering username and password , next a text box will appear for entering verification code , verification code would have been sent to users mobile phone or email id. Users are only allowed to enter after successfully verifying this code.
Threat prevention: To prevent brute-force attacks.
Read this article to see how to configure TFA with Google authenticator App.
Module : Session Limit
Purpose: allows administrators to limit the number of simultaneous sessions per user. This module will force the user to log out any extra sessions after they exceed the administrator-defined maximum.
Module: Automated Logout
Purpose: make users log out after a specific time of inactivity.
2.Modules for Security checks/suggestions
In this group of modules site administrator will get a report of the potential security flaw in the system. Also these modules provide various security hardening options. See below modules that come under this category.
Module: Security Review
Purpose: Provide a report of various security flaws in the system. These may be because poor coding standards or may be done by some attackers who have access to the physical files of Drupal instance. Around 14 types of checks are done throughout your website.
Threat prevention: This module does not automatically make changes to your site. You should use the results of the checklist and its resources to manually secure your site. This module provided possible places of occurrence of below threats in your Drupal system.
- arbitrary code execution
- cross-site scripting
- avoiding information disclosure
- brute-force attack
- access misconfiguration
- Password included in user emails
- arbitrary code execution
- phishing attempts
Module: Security Kit
Purpose: SecKit provides Drupal with various security-hardening options.
3.Modules for Encryption and Decryption
Most of the developers keep API credentials and other confidential data in hardcoded PHP variables. This will create a security flow where anybody who got access to the files can steal the passwords and credentials. There are below modules that can help you to encrypt and decrypt those credentials.
Purpose: provides an application programming interface (API) for performing symmetric or asymmetric encryption. It allows integrating modules to encrypt and decrypt data in a standardized manner. This module only provides configurations and interface for creating encryption profiles. You have to do this with other modules.
Threat prevention: Information disclosure
You can see this article for usage encrypt module in two factor authentication module.
You can see also this article to see how we are using the service provided by this module , than can be used in your custom modules or anywhere in your Drupal code.
Module: File Encrypt
Purpose: module allows you to encrypt files uploaded via Drupal using the Encrypt and Key modules. When encrypted files are requested, they will be decrypted automatically.
Threat prevention: information and file disclosure.
You can read steps to configure in this article https://www.daggerhart.com/how-to-encrypt-field-data-drupal-8/
Modules under this category provide configurations to limit access of nodes and content types based on roles.
Module: Content Access
Purpose: Manage access to content types. manage permissions for content types by role and author. It allows you to specify a custom view, edit and delete permissions for each content type.
Threat prevention: information disclosure and unauthorized access
Module: ACL (Access control List)
Purpose: provides API for other modules to create lists of users and give them access to nodes. It has no UI of its own and will not do anything by itself; install this module only if some other module tells you.
Threat prevention: information disclosure and unauthorized access
5.Modules to Block IP
there are many users who hit the website with malicious intent. So webmasters need to block these IP’s from accessing the system. We are here discussing Autban module which is used for this purpose.
Module: Automatic IP ban (Autoban)
Purpose: Autoban allows to automatize IP ban using watchdog table by the module rules. Need enable Database logging module (core) and at least one IP Ban Providers submodule: Autoban Core Ban (integrated with core Ban module) and/or Autoban Advanced Ban.
6.Modules for Coding standard
Most of the cases developers make loopholes for attackers without following Drupal coding standards. We are discussing few modules using which we can identify coding mistakes.
Module: Coder (used as a command-line tool)
Purpose: Coder checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations for you with the phpcbf command from PHP_CodeSniffer
Purpose: The Paranoia module attempts to identify all the places that a user can evaluate PHP via Drupal’s web interface and then block those. It reduces the potential impact of an attacker gaining elevated permission on a Drupal site.
Here we have discussed major security modules and categorized them based on the area where they are using in Drupal. I have listed only Drupal 8 modules. There are other modules that are dependent on the modules listed above. Using these modules we can ensure more security.