<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=278116885016877&amp;ev=PageView&amp;noscript=1">

, , , , ,

Apr 24, 2017 | 6 Minute Read

Drupal security modules: Which one to choose? | Axelerant

Table of Contents

Introduction

Today, securing one’s website using Drupal security modules is a primary concern for business owners, more so than it has ever been. Drupal powers more than 700,000 sites across the entire Internet—that’s a lot of sites—and the chances of a Drupal site owner coming under a concentrated cyber attack are higher than ever.

One of the major advantages of Drupal is the Drupal team’s focus on making sure the Drupal core is largely free of any vulnerabilities or loopholes that can compromise website security. Another advantage is that third-party modules are heavily vetted and tested by the extended community. This peer review process ensures that third-party modules don’t end up becoming loopholes for attacks, to a large extent.

But at the end of the day, bug-free modules aren’t enough; you always need an extra security layer, for that rainy day when your site does come under fire from spambots as well as more determined human attackers. To that end, we’ve gone ahead and compiled a massive list of Drupal security modules that can help you create a strong security layer around your site, and keep all sorts of Drupal security issues at bay.

Authentication

1. Login Security

  • Downloads - 100,942
  • Reported installs - 16,708
  • Compatible versions - Drupal 8 and below.
  • Purpose - This module helps site administrators add restrictions to the login flows in a Drupal site. For instance, one can limit the number of invalid authentication attempts before blocking an account, deny access from specific IPs and so on. It also notifies you over email or through Nagios notifications if the login form is under attack with brute force methods or username/password guessing attempts.
  • Known issues - None.
  • Download - https://www.drupal.org/project/login_security

2. Password Policy

  • Downloads - 407,012
  • Reported installs - 34,869
  • Compatible versions - Drupal 8 and below.
  • Purpose - This Drupal security module can be used to define constraints and rules for setting account passwords. For instance, a site administrator can define a rule stating that all passwords must have one uppercase letter, a number and a special symbol.
  • Known issues - None.
  • Download - https://www.drupal.org/project/password_policy

3. Two-Factor Authentication

  • Downloads - 23,277
  • Reported installs - 5,330
  • Compatible versions - Drupal 7 and below.
  • Purpose - This module allows site administrators to define two-factor auth strategies for authentication. It ships with a variety of mechanisms—time-based one-time passwords/PINs, codes delivered over text messages, pre-generated codes and a lot more.
  • Known issues - None.
  • Download - https://www.drupal.org/project/tfa

4. Username Enumeration Prevention

  • Downloads - 76,455
  • Reported installs - 10,144
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - Attackers can try accessing a Drupal website using username enumeration. The idea is to find out if a username exists by entering random usernames; if a username doesn’t exist, Drupal says so. When a username does exist, Drupal displays a message stating that the auth credentials are invalid, thus telling the attacker that a valid username has been found. This module replaces the standard unknown username error message, thus making it impossible for attackers to use this technique successfully.
  • Known issues - There may be usernames included in comments and nodes that this module may not detect—that could lead to a situation where username enumeration can be exploited.
  • Download - https://www.drupal.org/project/username_enumeration_prevention

5. ACL

  • Downloads - 292,469
  • Reported installs - 28,522
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - This module doesn’t ship with a UI—it’s essentially a set of APIs that allow other modules to create a list of users, and allow them selective access to certain nodes.
  • Known issues - None.
  • Download - https://www.drupal.org/project/acl

6. Content Access

  • Downloads - 492,277
  • Reported installs - 74,322
  • Compatible versions - Drupal 7 and below.
  • Purpose - This Drupal security module helps you define detailed permissions on specific content types, both by role and by author. You can specify view/edit/delete permissions in a fine-grained manner.
  • Known issues - Since this module uses Drupal’s node API, it’s recommended that you do not install other modules that use the same endpoints. Also, this module isn’t covered by the Drupal security advisory policy.
  • Download - https://www.drupal.org/project/content_access

7. Flood Control

  • Downloads - 431,844
  • Reported installs - 14,429
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - This module adds a section to the administration UI, for modifying hidden flood control parameters—login attempt limiters among others, for instance.
  • Known issues - None.
  • Download - https://www.drupal.org/project/flood_control

8. Automated Logout

  • Downloads - 167,391
  • Reported installs - 25,259
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - This module allows site administrators to define a policy which automatically logs out users after a specified inactive period. Timeouts can be customized by role, as well as integration with Javascript-based timers.
  • Known issues - None.
  • Download - https://www.drupal.org/project/autologout

9. Session Limit

  • Downloads - 58,454
  • Reported installs - 12,240
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - This module helps limit the number of simultaneous sessions allowed for users. Policies can be configured for individual users, as well as for roles.
  • Known issues - None.
  • Download - https://www.drupal.org/project/session_limit

10. LDAP

  • Downloads - 510,501
  • Reported installs - 22,730
  • Compatible versions - Drupal 8 and below.
  • Purpose - If your organization uses an LDAP server for authentication/authorization, this module helps you configure Drupal to use the same LDAP credentials for your Drupal site.
  • Known issues - None.
  • Download - https://www.drupal.org/project/ldap

11. Google Apps Authentication

  • Downloads - 1,508
  • Reported installs - Not Available
  • Compatible versions - Drupal 6 and below.
  • Purpose - If you use Google Apps for Business, then this module allows you to use Google App credentials for user authentication and authorization inside Drupal.
  • Known issues - This module isn’t covered by the Drupal security advisory policy.
  • Downloads - https://www.drupal.org/project/googleauth

Security Review

1. Security Kit

  • Downloads - 208,909
  • Reported installs - 24,756
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - This module helps site administrators set up various options that help mitigate the exploitative risks of various vulnerabilities. For instance, it can help set up HTTP headers that help check cross-site scripting and forgery, as well as clickjacking and more.
  • Known issues - None.
  • Download - https://www.drupal.org/project/seckit

2. Security Review

  • Downloads - 319,044
  • Reported installs - 36,264
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - This module automates a lot of tests that help you determine if your site is vulnerable to a lot of traditional attack vectors. It runs tests to check for XSS exploits, the presence of PHP or Javascript in content nodes, arbitrary PHP execution, SQL injection attacks and a lot more.
  • Known issues - while the module covers a lot of ground, the checks provided by this module don’t necessarily mean your site is completely locked down and secure.
  • Download - https://www.drupal.org/project/security_review

3. Paranoia

  • Downloads - 74,914
  • Reported installs - 6,290
  • Compatible versions - Drupal 7 and below.
  • Purpose - Aptly named, this module tries to identify all the places where a user can evaluate arbitrary PHP code, and then goes ahead and blocks it. It helps reduce the chances of an attacker gaining elevated permissions to a Drupal site.
  • Known issues - None.
  • Download - https://www.drupal.org/project/paranoia

4. Coder

  • Downloads - 811,094
  • Reported installs - 3,383
  • Compatible versions - Drupal 8 and below.
  • Purpose - Coder checks your Drupal code and identifies places where best practices aren’t being followed. It must be noted that Coder is more of a command-line tool, with IDE support.
  • Known issues - None.
  • Download - https://www.drupal.org/project/coder

5. Secure Pages Hijack Prevention

  • Downloads - 18,138
  • Reported installs - 1,372
  • Compatible versions - Drupal 7 and below.
  • Purpose - This module helps prevent hijacked sessions from accessing pages that are SSL-enabled, while allowing users to stay authenticated while they’re browsing non-SSL pages.
  • Known issues - This module isn’t covered by the Drupal security advisory policy.
  • Download - https://www.drupal.org/project/securepages_prevent_hijack

Spam Prevention

1. Captcha

  • Downloads - 1,829,256
  • Reported installs - 277,251
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - The age-old Captcha system is one of the best methods with which to secure submission forms of any kind from spambots. This module helps site administrators to include Captcha support with any kind of form, on their Drupal website.
  • Known issues - None.
  • Download - https://www.drupal.org/project/captcha

2. SpamSpan

  • Downloads - 104,446
  • Reported installs - 17.524
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - The SpamSpan module obfuscates email addresses, to prevent spambots from collecting them. The advantage of using SpamSpan is that it uses Javascript for obfuscation, which helps with accessibility.
  • Known issues - None.
  • Download - https://www.drupal.org/project/spamspan

3. Block Anonymous Links

  • Downloads - 11,096
  • Reported installs - 1,087
  • Compatible versions - Drupal 7 and below, pre-release version available for Drupal 8.
  • Purpose - Most spam comments contain links, and most spambots don’t register on sites they’re out to spam. This module goes ahead and blocks links on anonymous comments.
  • Known issues - None.
  • Download - https://www.drupal.org/project/blockanonymouslinks

Updates

Drupal Core Update module

  • Downloads - NA
  • Reported installs - NA
  • Compatible versions - NA
  • Purpose - One of the best ways of ensuring your Drupal site is always protected is to make sure updates to the Drupal core are installed regularly. These updates can contain either security patches or incremental upgrades. This is a core module, and its importance can’t be overstated when it comes to making sure your Drupal site is well-maintained, and in sync with Drupal’s codebase.
  • Known issues - None.
  • Information - https://www.drupal.org/docs/8/core/modules/update/overview

So this takes care of Drupal security?

Not so much. But while this list is by no means complete, it should give you a head start in securing your Drupal site right away. The Drupal security modules included above allow you to test for vulnerabilities and exploits, plug them, as well as customize your authentication and authorization policies.

Diligently following Drupal security best practices makes a lot of sense for website owners; the idea is to have a ready process to follow when it comes to testing and plugging common vulnerabilities your site might expose.

A comprehensive Drupal security checklist and policy combined with a thoughtful combination of the Drupal security modules mentioned above should ensure your Drupal site has a heavy security cordon around it, for the day it really needs it. After all, to quote Andy Grove: “Only the paranoid survive.”

About the Author
Nathan Roach, Director of Marketing
About the Author

Nathan Roach, Director of Marketing

Germany-based consumer of old world wine and the written word. Offline you can find him spending time with his wife and daughter at festivities in the Rhineland.


Back to Top