Drupal is considered as a professional-level Content Management System (CMS), with advanced features than Joomla, WordPress, Sharepoint, and Magento. Just like other software, it requires updates and careful maintenance of the web developers and web admins. It is not easy, but doable, hence we provide in this article simple tasks the web admins can do in order to become a lesser target of cybercriminals.
This list is not an exclusive one, but rather just provide a guideline on how to lessen the attack surface which attracts hackers’ attention towards a Drupal website:
Start with the minimum essential permissions per user
This rule is universal on all systems, not just Drupal, but for other CMS and other software as well. Users need to work within the limits set to them by the administrators. User Account Management requires to have users with “good enough” permissions to perform their tasks and nothing more. This lowers the use of the credential beyond its intended purpose, for example, an account that is used only for routine maintenance cannot have full administrative access to the whole folder structure. Of course, in order for this to become effective, a change of mindset is required, some users might harbor a bad habit of having all the settings available to them, which will be restricted by this rule.
Take advantage of Drupal’s Backup and Migrate feature
Nobody can be sure when the site needs restoration, but it is something that will be needed sooner or later. Cybercriminals use vulnerabilities in CMS in order to insert their code into the folder structure of a website, execute their code and everything else falls apart. Drupal provides an internal backup system which will be effective in quickly restoring the operations of the Drupal-based websites in minutes, not in hours or days. This system can also be used when migrating data from the old hosting provider to the new hosting service if the website admin will decide such action in the future.
Modify .htaccess file in order to restrict access from external IPs
Administration of the Drupal website needs to be restricted under a certain privileged IP address only. If possible, use an internal IP address, so that the website administration should be done inside the private network. With this restriction implemented, it will prevent external login attempts from sources other than those inside the private network. That means, hackers operating from the Internet cannot visit the actual login for the administrative user, as he requires to be inside the private network to have a successful login. That is why it is highly recommended that .htaccess file is audited to only include permissions for a few selected IP address only.
Enable Password Complexity requirement
If the user uses a password manager to store passwords for Drupal, implementation of a strong Password Complexity requirement is worthwhile. It is beyond normal behavior for anyone to use easy-to-guess password, and it is downright insecure to practice the old habit of just choosing a short, memorable but insecure password. The damage that can be incurred by the business owner will be higher if the reverse engineering of passwords is hard to do due to password complexity requirement enabled.
Keep Drupal plugins in a manageable number
Only install a few plugins as possible. Three or less is highly optimized, while more than that may be more difficult to maintain down the line.
Take advantage of Drupal Security Modules
It does not harm the web admin to install security modules for Drupal as they see fit. Those are not fully antimalware products, but rather monitor the activities of computers through the network.
Never run an old version of Drupal and its modules
Using an old version of Drupal and its modules/plugins is an old habit that needs to die. Exposing the website to hacking toolkit is not funny, as people in the profession of IT understands that new version is not only for bells and whistles, but includes fixes for the bug.
Also, Read:
8 Security Tools That Recovers Hacked Website
WordPress Plugin WooCommerce is Vulnerable to XSS Attacks
5 Bad “Features” Not To Look For In A CMS Software
Simple Points To Consider To Secure Joomla
