Is Your Drupal Website Secure?

News about cyber attacks are becoming more and more frequent nowadays. From private individuals to small companies and international corporations, everyone can be a victim of a hacking attack.

Do you know how to protect your Drupal website against a cyber-attack?

Even though Drupal’s core structure already provides a high degree of security, you need to appropriately configure your website and also you must make sure to always follow the security updates. 

Then comes the obvious - permissions. Make sure to have a clear role assignment in your team and we highly recommend you to have a separate account for each user with access. We all know shared accounts present a high safety risk. 

Keep in mind: security is not just about coding! 

Let’s take it step by step with some basic security principles:

Drupal Core

UP-TO-DATE - that is the magic word! Stay informed about security updates and apply them to your website whenever the time arrives. You can follow update news on, as well as on twitter, at

Strong password

Having a strong password might seem obvious, but password management is actually one of the most common security issues encountered. Don’t take things lightly! A weak password is no password at all. 

Install the Password Policy module and make sure all other users with access have optimised strong passwords. It is also a good idea to make it mandatory to regularly renew the passwords.

Uploading Files Securely

Set restrictions accordingly and always check files uploaded by other users. Don’t forget to set rules regarding the file size, type, etc. And we will say this again: carefully divide and control the users roles and permissions and do not grant unnecessary authorisation.

Security Review

Install the Security Reviews module and take the necessary action according to its analysis result. This module is particularly useful for reminding you about security checks that went by unnoticed. 

Keep in mind though not to use this module on live websites. Deactivate it and delete it from the file system when your website goes live. 

Secure Coding

Make sure the special modules and themes you included do not lead to any security vulnerability. Scan your website with specialised applications (e.g. netsparker) against vulnerabilities such as XSS (cross-site scripting) or SQL Injection

We highly recommend the use of Drupal APIs in the module development stage as this will help to keep your Drupal code more secure.