Top 20 Drupal Security Modules Add to Default shortcuts

Top 20 Drupal Security Modules Add to Default shortcuts

Today, securing one's website using Drupal security modules is a primary concern for business owners, more than ever. Drupal powers more than 700,000 sites across the Internet—that's a lot of sites—and the chances of a Drupal site owner facing a concerted cyber attack are greater than ever.

One of the major strengths of Drupal is the Drupal team's focus on ensuring that the core of Drupal is largely free of any vulnerabilities or gaps that can compromise website security. Another advantage is that third-party modules are heavily vetted and tested by the extended community. This peer review process ensures that third-party modules do not end up becoming loopholes for attacks, to a large extent.

But at the end of the day, bug-free units are not enough. You always need an extra layer of security, for that rainy day when your site comes under fire from spam as well as more determined human attackers. To that end, we've gone ahead and compiled a huge list of Drupal security modules that can help you build a strong layer of security around your site and keep all kinds of Drupal security issues at bay.

Authentication

1. Connection security

  • Downloads - 100,942
  • Reported facilities - 16,708
  • Compatible versions - Drupal 8 and below.
  • Purpose - This module helps site administrators add restrictions to login flows on a Drupal site. For example, one can limit the number of invalid authentication attempts before an account is banned, deny access from specific IPs, and so on. It also notifies you via email or through Nagios alerts if your login form is attacked with brute force methods or username/password guessing attempts.
  • Known Issues - None.
  • Download - https://www.drupal.org/project/login_security

2. Password Policy

  • Downloads - 407,012
  • Reported facilities - 34,869
  • Compatible versions - Drupal 8 and below.
  • Purpose - This Drupal security module can be used to set restrictions and rules for setting account passwords. For example, a site administrator can set a rule that states that all passwords must have an uppercase letter, a number, and a special symbol.
  • Known Issues - None.
  • Download - https://www.drupal.org/project/password_policy

3. Two-factor authentication

  • Downloads - 23,277
  • Reported facilities - 5,330
  • Compatible versions - Drupal 7 and below.
  • Purpose - This section allows site administrators to set two-factor authentication strategies for authentication. It's sent by a variety of mechanisms—one-time passwords/PINs used, codes delivered via text messages, pre-generated codes, and more.
  • Known Issues - None.
  • Download - https://www.drupal.org/project/tfa

4. Prevent username enumeration

  • Downloads - 76,455
  • Reported facilities - 10,144
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - Attackers can try to gain access to a Drupal site using username enumeration. The idea is to find out if a username exists by entering random usernames. if there is no username, Drupal says so. When a username is present, Drupal displays a message stating that the authorization credentials are not valid, thus telling the attacker that a valid username was found. This module replaces the standard unknown username error message, thus making it impossible for attackers to use this technique successfully.
  • Known Issues - Comments and nodes may include usernames that this module may not detect—which could lead to a situation where username enumeration can be exploited.
  • Download - https://www.drupal.org/project/username_enumeration_prevention

5. ACL

  • Downloads - 292,469
  • Reported facilities - 28,522
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - This module does not come with a user interface - it is essentially a set of APIs that allow other modules to create a list of users and allow them selective access to certain nodes.
  • Known Issues - None.
  • Download - https://www.drupal.org/project/acl

6. Access to Content

  • Downloads - 492,277
  • Reported facilities - 74,322
  • Compatible versions - Drupal 7 and below.
  • Purpose - This Drupal security module helps you set fine-grained permissions for specific types of content, both by role and by author. You can specify the view/edit/delete permissions in a detailed way.
  • Known Issues - Since this module uses Drupal's node API, it is recommended that you do not install other modules that use the same endpoints. Also, this section is not covered by Drupal's security advisory.
  • Download - https://www.drupal.org/project/content_access

7. Flood control

  • Downloads - 431,844
  • Reported facilities - 14,429
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - This module adds a module to the management user interface to modify hidden flood control parameters—connection attempt limiters among others, for example.
  • Known Issues - None.
  • Download - https://www.drupal.org/project/flood_control

8. Automatic Logout

  • Downloads - 167,391
  • Reported facilities - 25,259
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - This section allows site administrators to set a policy that automatically logs users out after a specified period of inactivity. Time limits can be customized per role, as well as integration with Javascript-based timers.
  • Known Issues - None.
  • Download - https://www.drupal.org/project/autologout

9. Session Limit

  • Downloads - 58,454
  • Reported facilities - 12,240
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - This section helps limit the number of concurrent sessions allowed for users. Policies can be configured for individual users as well as roles.
  • Known Issues - None.
  • Download - https://www.drupal.org/project/session_limit

10. LDAP

  • Downloads - 510,501
  • Reported facilities - 22,730
  • Compatible versions - Drupal 8 and below.
  • Purpose - If your organization uses an LDAP server for authentication/authorization, this section helps you configure Drupal to use the same LDAP credentials for your Drupal site.
  • Known Issues - None.
  • Download - https://www.drupal.org/project/ldap

11. Google Apps Authentication

  • Downloads - 1,508
  • Listed Facilities - Not Available
  • Compatible versions - Drupal 6 and below.
  • Purpose - If you use Google Apps for Business, then this module allows you to use Google App credentials for user authentication and authorization within Drupal.
  • Known Issues - This section is not covered by Drupal's security advisory.
  • Downloads - https://www.drupal.org/project/googleauth

Security review

1. Safety kit

  • Downloads - 208,909
  • Reported facilities - 24,756
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - This section helps site administrators configure various options that help mitigate exploit risks from various vulnerabilities. For example, it can help set HTTP headers that help control cross-site scripting and spoofing, as well as clickjacking and more.
  • Known Issues - None.
  • Download - https://www.drupal.org/project/seckit

2. Security check

  • Downloads - 319,044
  • Reported facilities - 36,264
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - This module automates several tests that help you determine if your site is vulnerable to many traditional attack vectors. It runs tests to check for XSS exploits, the presence of PHP or Javascript in content nodes, arbitrary PHP execution, SQL injection attacks, and more.
  • Known issues - while the section covers a lot of ground, the controls provided by this section don't necessarily mean your site is completely locked down and secure.
  • Download - https://www.drupal.org/project/security_review

3. Paranoia

  • Downloads - 74,914
  • Reported facilities - 6,290
  • Compatible versions - Drupal 7 and below.
  • Purpose - Aptly named, this module tries to identify all the places where a user can evaluate arbitrary PHP code and then goes ahead and blocks it. It helps reduce the chances of an attacker gaining elevated privileges on a Drupal site.
  • Known Issues - None.
  • Download - https://www.drupal.org/project/paranoia

4. Encoder

  • Downloads - 811,094
  • Reported facilities - 3,383
  • Compatible versions - Drupal 8 and below.
  • Purpose - Coder reviews Drupal code and identifies places where best practices are not followed. It should be noted that Coder is more of a command line tool, with IDE support.
  • Known Issues - None.
  • Download - https://www.drupal.org/project/coder

5. Secure page tamper prevention

  • Downloads - 18,138
  • Reported facilities - 1,372
  • Compatible versions - Drupal 7 and below.
  • Purpose - This module helps prevent access to SSL-enabled pages for session violations while allowing users to remain authenticated while browsing non-SSL pages.
  • Known Issues - This section is not covered by Drupal's security advisory.
  • Download - https://www.drupal.org/project/securepages_prevent_hijack

Spam prevention

1. Captcha

  • Downloads - 1,829,256
  • Reported facilities - 277,251
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - The age-old Captcha system is one of the best methods to secure form submissions of any kind from spam. This module helps site administrators to include Captcha support with any type of form, on their Drupal site.
  • Known Issues - None.
  • Download - https://www.drupal.org/project/captcha

2. SpamSpan

  • Downloads - 104,446
  • Reported facilities - 17,524
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - The SpamSpan module hides email addresses to prevent them from being picked up by spammers. The benefit of using SpamSpan is that it uses Javascript for obfuscation, which helps with accessibility.
  • Known Issues - None.
  • Download - https://www.drupal.org/project/spamspan

3. Block anonymous links

  • Downloads - 11,096
  • Reported facilities - 1,087
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - Most spam comments contain links, and most spam is not registered on spam sites. This section goes ahead and blocks links to anonymous comments.
  • Known Issues - None.
  • Download - https://www.drupal.org/project/blockanonymouslinks

Updates

Drupal core update module

  • Downloads  - YES
  • Listed facilities  - NA
  • Compatible versions - NA
  • Purpose - One of the best ways to ensure that your Drupal site is always protected is to ensure that Drupal core updates are installed regularly. These updates may contain either security patches or incremental upgrades. This is a key module and its importance cannot be overstated when it comes to making sure your Drupal site is well maintained and in sync with the Drupal codebase.
  • Known Issues - None.
  • Info - https://www.drupal.org/docs/8/core/modules/update/overview

So does this take care of Drupal's security?

Not so much. However, while this list is by no means complete, it should give you a head start on securing your Drupal site right away. The Drupal security modules included above allow you to test for vulnerabilities and exploits, patch them, and adjust authentication and authorization policies.

Diligently following Drupal security best practices makes a lot of sense for website owners. The idea is to have a ready process to follow when it comes to testing and patching common vulnerabilities that your site may expose.

A comprehensive Drupal security policy and checklist combined with a thoughtful combination of the Drupal security modules listed above should ensure that your Drupal site has a heavy security cord around it, for the day it really needs it. After all, to quote Andy Grove: "Only the paranoid survive."

Tags

Comments