header tail

Drupal security best practices

home / Drupal security best practices

With automated bots and hackers constantly searching the internet for sites to attack, keeping your website safe and secure is vital. 

Just as shop owners lock up their physical shop premises, your Drupal website needs to be ‘locked’ and protected against hacking, ransomware infections and other online security threats.

Fortunately, Drupal is regularly scrutinised, updated and patched by developers all around the globe. The CMS also has its own dedicated team of security experts, an impressive track record for security, and a robust process for overcoming security vulnerabilities as they arise. So just using Drupal is a great start in terms of website security.

In this blog, we’ll cover why Drupal security is important and share ten Drupal best practices to ensure your site stays safe.

why Drupal security is important

Without adequate security protection on your website, your organisation could lose data, breach legislation and suffer severe reputational damage.

Web security is also a search engine ranking factor. Secure websites are prioritised in the search results and therefore more likely to gain organic traffic.

Of course, fixing security issues can be costly too, and the impact of security breaches (such as lost customers and fines) may have even greater financial implications. So Drupal security is vital not just for good digital performance and user trust, but also for your bottom line.

10 Drupal security best practices

Using our two decades of Drupal experience, we now share the ten best ways to keep your Drupal site secure and protected against online threats…

1. Use HTTPS

Without HTTPS on your website, hackers can interfere in the communications between your site and users/browsers. In fact, HTTPS is so important for website security that Google displays a ‘not secure’ message on HTTP sites to warn users.

It’s completely free – and pretty easy – to transfer your site to HTTPS so there’s no reason not to do it! You just need a Secure Sockets Layer (SSL) certificate, which you can get via Let’s Encrypt or your hosting provider.

Once your SSL certificate is activated, your URL will be HTTPS and a padlock sign will be displayed in the URL bar, thus indicating that all site communications are secure.

2. Keep Drupal software up-to-date

Outdated software is a common security vulnerability, so it’s vital to install the latest Drupal core updates as soon as they are available. The same also applies to any modules or themes on your site.

Updates aim to patch security weaknesses and improve overall performance; without them, your site is vulnerable to hacking and security breaches.

We cover the different methods for updating the Drupal core in our ‘Drupal: how to update’ blog. Alternatively, your Drupal agency may cover regular updates as part of their support package.

3. Choose secure hosting

Having secure hosting is an important element of website security and should always be kept in mind when choosing a hosting provider.

Secure hosting is particularly important if you’re on a shared hosting plan, as your site will be vulnerable to attacks made through other sites using the same server.

It’s a good idea to check with your host what security measures they have in place and how they respond to any security issues on their server. If their security procedures are insufficient for your needs, it’s advisable to upgrade your hosting package or switch provider.

4. Use secure login details

Insecure login details and passwords are another common way that Drupal sites are hacked. Access is often gained via brute force attacks, where hackers attempt various username and password combinations until one is successful.

Drupal automatically limits brute force attacks, but choosing strong passwords is another important way to increase site security. It’s also a good idea to avoid obvious usernames such as ‘admin’.

Strong passwords include a combination of letters (both upper and lower case) alongside numbers and symbols. The longer the password, the better – aim for 12-14 characters to keep your site really secure.

For additional security, you might want to set-up two-factor authentication (2FA). This means that users have to login in two stages – firstly, by entering their username and password, and then by providing a one-time passcode.

You can add 2FA to your Drupal site with the Google Authenticator module (you’ll also need to download the related app for passcode generation). However, it’s worth bearing in mind that 2FA isn’t compatible with all Drupal modules and themes, so speak to your Drupal support agency if you encounter any problems.

5. Backup regularly

Backing-up means making and storing a copy of your Drupal site files and database. These copies can then be used to get your website back online again in case of a security breach or virus.

The more regularly you backup, the less data you’ll lose if your site is ever hacked or infected. It’s worth considering how often you make changes or add new content, and how easy it would be to re-do this work if it was lost – this will help inform how often you should schedule backups.

The simplest way to backup on Drupal is with the Backup and Migrate module. Simply install the module, and then tick to enable automatic backups and set your desired frequency in the module’s settings.

6. Block bots

Automated bots and crawlers are constantly searching for website vulnerabilities to hack or exploit. You can protect your Drupal site against these with various modules:

  • Captcha helps prevent bots from making contact form submissions
  • Honeypot also reduces bot form submissions
  • SpamSpan Filter prevents spambots collecting email addresses from your site

However, it’s also worth blocking bad bots at server level for additional protection. You can do this through your hosting provider or by adding the following code to your .htaccess file:
RewriteEngine OnRewriteCond %{HTTP_USER_AGENT} ^.*(agent1|Wget|Catall Spider).*$ [NC]RewriteRule .* – [F,L] 

Please note that if you add the code yourself, make sure not to block the Google crawling bot or you might find that you suddenly stop seeing any organic traffic! 

7. Update user accounts

The more users (and logins) you have for your site, and the greater access and permissions users have, the more your site is at risk of hacking and other security breaches.

The main Drupal role options (in order of decreasing capability to make website changes) are Administrator, Editor and User. However, Drupal’s flexibility means that an unlimited number of different roles and permissions are possible.

As administrators have the greatest permissions in terms of making changes on your Drupal site, this role should be reserved only for the website owner and a limited number of other trustworthy users.

We recommend reviewing your users regularly to ensure that people have the correct permissions. It’s also a good idea to delete user accounts when people stop contributing to your site. You can find out which users are registered and check/update role permissions under ‘People’ in the back-end.

8. Keep your database clean

Keeping your Drupal database clean and up-to-date helps reduce the risk of malware and ransomware infections.

We recommend regularly checking your website database and deleting anything that is no longer needed. But make sure you to backup first – just in case you accidentally delete something important!

The easiest way to cleanse your Drupal database is with the Clean up module. However, if you’re more technically-knowledgeable, you may prefer to use phpMyAdmin instead.

9. Scan regularly

To keep your site secure, it’s important to scan regularly. You can do this quickly and easily with an online scanner such as Sucuri.

A scan will highlight any possible security errors and vulnerabilities on your site – these should be addressed as soon as possible. If you’re not sure how to resolve any problems, read this great Sururi informational guide or contact your Drupal agency.

10. Be prepared!

By following our tips above, your Drupal site will be well-protected and secure, but it’s also important to create a disaster recovery plan in case the worst ever happens.

A disaster recovery plan should include details such as: your user account names and passwords; the steps you’d take to resolve any security issues; how you’d inform staff, users and stakeholders; where backups are stored; and any possible data protection or legal implications.

It’s may be worth asking your Drupal agency to write this for you to ensure it’s comprehensive and technically-robust. However, if you’d prefer to draft it yourself, Drupal.org has lots of useful information in this article about how to respond to website hacking.

11. Sign-up for Drupal emails

As a final bonus tip, we also recommend signing up to the Drupal security mailing list. This will ensure you stay up-to-date with all of the latest security notifications and announcements.


We hope you enjoyed this blog about Drupal security best practices. For more expert Drupal tips, read our ultimate Drupal optimisation guide which covers everything you need to know about optimising and maintaining your Drupal website.

Or, for on-demand Drupal support from an award-winning agency with more than two decades of experience, please get in touch and we’ll be happy to help!