5 Important Factors to Secure Drupal Hosting

The reality is that no site will be perfectly secure on the Internet. Having said that, you must still plan on securing your site so that it’s not vulnerable to easy attack vectors. Not only do you want to make sure that you have some kind of automatic failover plan for your Drupal site, but you’ll also need some layers of defense to prevent that failure from happening in the first place. Although no security plan is perfect, you don’t want your Drupal site becoming the next hacking victim. Here are five recommendations on how you can build and maintain secure Drupal websites using secure Drupal hosting practices.

Table of Contents

1. Audit Your Hosting and Website Code For Vulnerabilities

Take an inventory of both your hosting environment and the code that is running your site. Since many Drupal sites will be relying on pre-built themes and modules, have an outside audit done on your codebase to ensure that there’s no bad code. You also want to have a good look at your hosting provider to see if they can withstand typical shocks. This audit should look at:

How strong is network connectivity?
What kind of diversion strategies are in place for traffic spikes and DDoS attacks? An orchestrated DDoS attack can take out an entire data center.
Take a look at the underlying storage system that serves your files. If your system regularly becomes overloaded, try upgrading to SSDs.
All websites should have some form of deployable backups that are ready to go at a moment’s notice.

2. Perform Regular Hosting Security Audits

From a Drupal perspective, your security team should be focusing on major known application vulnerabilities in the Drupal CMS. Webmasters should secure their sites against things like SQL injections, broken authentication attacks, OAuth attacks and cross-site scripting. SQL injection attacks are particularly dangerous, with a specifically crafted URL being able to take a site completely offline.

3. Enforce Secure Passwords (Or Opt For Two-Step Authentication)

A simple thing that webmasters can do is to remind their users to employ complex passwords in order to prevent dictionary attacks. Make sure they are mixing in random characters like exclamation points, uppercase letters and numbers. Also request that they use passwords of eight or more characters long. A webmaster can also use IP whitelisting to allow logins only from their intranet and other trusted locations. This is an excellent way to keep unknown traffic from attempting to log in to your website.

Another key security procedure is to turn on two-step verification. This means that your employee’s cell phone will get a text message that they’ll need to use to log in. If that sounds like too much work, there is also a Google Authenticator application to make the authentication step quicker. Once your Drupal user is verified, make sure to assign role-based access controls so that you restrict the permissions of each user. You don’t want all users accessing your production database or your code base, so make sure to set permissions appropriately.

4. Use HTTPS For Your Drupal Website

It’s crucial for any website (especially those sites where users are sending usernames and passwords) to pass all information over a secure connection. HTTPS is simply the secure form of HTTP, the protocol used by browsers to send requests. When you use HTTPS, the information that’s sent back and forth is encrypted. The information is only decrypted once the data is received by either the user or the server.

The importance of HTTPS lies in keeping snooping eyes from spying on your website traffic. Anybody who happens to be spying on traffic that is sent over an HTTPS pipe will only see encrypted packets. They won’t be able to determine what information is being transmitted back and forth. If a website is using plain HTTP, any information that’s sent to the server (such as usernames and passwords) are being sent in plain text.

To use HTTPS on your website, you’ll need an SSL certificate that you can get from an issuing certificate authority. After procuring the certificate, you’ll just need to install it on your website. If you use cPanel for your Drupal hosting, then look at the security section for the SSL / TLS option.

5. Uninstall Drupal Modules That You Aren’t Using

A good Drupal security practice is to completely uninstall and remove any unused modules or themes. The reasoning behind this is that you don’t want to expose any surface area that would be vulnerable to a determined hacker or bot to exploit. This would give them access to your Drupal site. Once they exploit a module, they can even get access to your database and entire directory structure. The fewer modules you have active for your Drupal website, the less of a chance that a hack can happen that could potentially shut your site down.

Taking care of unused Drupal modules is a simple procedure. Once you’ve decided that you do not want to use a particular module, simply go through the uninstall process to get rid of it. Keep in mind that starting with Drupal 8, modules can’t be disabled to prevent them from running. You’ll need to completely uninstall them to get rid of them.

It takes a lot of work to harden the overall hosting environment to maintain a secure hosting setup. The best hosts take care of many of these details in the background, making it easy for their customers to manage their websites securely. A good host will scan your Drupal install for performance issues with an eye on coding best practices. In addition to a number different security checks, your host should keep an eye on the PHP code running within your Drupal modules. The best security will be to simply keep your Drupal install and modules up to date. But it also helps a bunch to have a good host that regularly checks in on your Drupal installation.