Drupal is a very popular Content Management System (CMS) on the Internet today. Drupal security should be at the forefront of anyone running a Drupal site, especially if running older versions of the CMS or it’s modules, since these are a ripe target for attackers.

In this post, we’ve taken some time to detail a few measures which can be taken to address Drupal security, outlining the basic security holes or malpractices that are commonly present in thousands of Drupal sites.

Running the latest version of Drupal

Running the latest version of any software is probably the most obvious first security measure to take. However, with millions of sites still running old and vulnerable versions of the CMS, this point is still one that needs to be stressed.

Updates of Drupal not only bring with them new features, but more importantly, bugfixes and security fixes are made available. Updates help your site remain safe against common, easy-to-exploit vulnerabilities.

Running the latest versions of modules

Running the latest version of Drupal alone is not enough to secure your site. Modules you install on your Drupal site that contain vulnerabilities will undoubtedly increase your site’s attack surface.

Therefore, making sure that your Drupal modules are up-to-date is essential. In doing so, you can make sure your site is covered with the latest security updates by the extension’s author.

Drupal Updates Screen

Be selective when choosing modules

Drupal allows you to extend and customize your site with thousands of modules. Extending your site’s capabilities and customizing it to your requirements is important, however, it should never come at the price of your website’s security.

Even if your Drupal installation and modules are all up to date, it does not mean that a site is not vulnerable to attack. Attackers can try to enumerate installed modules to discover what modules you have installed on your Drupal site. By avoiding the installation of unnecessary modules, you would automatically be reducing your site’s attack surface.

When choosing modules to install, be selective. Before installing an extension, read about it (ideally read reviews from other users on websites other than the extension developer’s site). This prevents you from installing malware or modules that do not fit your purpose.

Check how many downloads the extension has and when it was last updated by its authors. The more downloads and recent updates the extension has, the more likely it is for a vulnerability found, to be fixed quicker.

Drupal 'Extend' screen

Remove inactive users

Keeping inactive users on your Drupal site increases your attack surface. Users, especially Administrators and others who have the ability to modify content, are possibly one of the weakest points of any site because unfortunately, most users tend to choose weak passwords.

If you absolutely need to keep inactive users in your Drupal database, change their role to ‘Authenticated user’ in order to limit any actions that could be performed.

Take advantage of Drupal’s Status Report functionality

A great security feature to take advantage of in Drupal is it’s in-built Status Report page. Apart from allowing you to keep tabs on other areas of your Drupal site, the Status Report page, provides you with visibility into some important security controls that you should be placing on your Drupal site — for example, the screenshot below indicates that we need to set-up a list of Trusted Host Settings to prevent the possibility of a host header attack from occurring.

Drupal Status Report

Configuring Trusted Host Settings

Drupal has a feature that tries to automatically figure out the base URL of the site. Unless explicitly configured. This can result in a host header attack taking place, specifically because the ‘host’ HTTP header can be forged by an attacker and therefore cannot be trusted.

Fortunately, Drupal has a built-in method of working around this issue by explicitly defining which hostnames are to be accepted as valid host headers. This can be achieved by adding the following to your Drupal site’s settings.php.

If a site is run off of a single, canonical domain, then you can include the following in sites/default/settings.php to allow the site to only run from www.example.com.

$settings['trusted_host_patterns'] = array(

If you need to run a your site off of multiple domains, and are not redirecting to a singular domain, then you can include the following in settings.php to allow the site to run off of example.com and example.net, with all subdomains included.

$settings['trusted_host_patterns'] = array(

If we revisit Drupal’s Status Report, we can see the alert in the previous screenshot resolved.

Drupal Status Report with Trusted Hosts security alert resolved

Security configurations

Keep an eye on the logs

Drupal has an in-built log viewer (Manage > Reports> Recent log messages) which you should certainly take advantage of. Logging plays a crucial role in understanding when an attack is underway and what has happened after an attack occurred. By keeping an eye on logs, you can mitigate the the effects of a security breach by paying attention to early warning signs such as failed login attempts.

Drupal Logs

Enable HTTPS

Strictly speaking, HTTPS is not a protocol in and of itself, but it is rather HTTP encapsulated in TLS/SSL. TLS, or SSL, as it is commonly referred to, provides websites and web applications with encryption of data being transmitted and authentication to verify the identity of a host.

HTTPS is usually synonymous with shopping carts and Internet banking, but in reality, it should be used whenever a user is passing sensitive information to the web server and vice-versa.

Most sites do not necessarily need to serve their entire site over TLS, however, since Drupal does not have an administrator-specific area, it’s strongly advised that TLS/SSL is not only implemented, but enforced.

In order to enforce TLS/SSL on your Drupal site in Apache HTTP Server, you will need to add the following configuration in your Drupal site’s .htaccess file (this is usually located in your website’s root directory).

# Force HTTPS across the Drupal site
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.