Drupal has a mature security process and module ecosystem. Primary controls are trusted host enforcement, advisory patching, and module permission hygiene.
¶ 1) Protect secrets and administrative access
- Configure
trusted_host_patterns in settings.php
- Keep settings.php immutable (444 permissions)
- Protect sites/default/files against executable uploads
- Use strong admin passwords and enforce password policies
- Enable two-factor authentication (TFA) module for admin accounts
¶ 2) Control extensions and update cadence
- Subscribe to Drupal security advisories: https://www.drupal.org/security
- Patch Drupal core and contributed modules quickly after security releases
- Remove unused modules and themes, especially abandoned ones
- Only download modules from drupal.org or trusted sources
- Use Composer for dependency management
¶ 3) Harden runtime and deployment perimeter
- Use least-privilege roles and review permissions for content moderation and admin tasks
- Enforce HTTPS and secure session cookie settings
- Set correct file permissions:
- Directories: 755
- Files: 644
- settings.php: 444 (read-only)
- Block PHP execution in uploads directory (sites/default/files)
# Set directory permissions
find /var/www/drupal-site -type d -exec chmod 755 {} \;
# Set file permissions
find /var/www/drupal-site -type f -exec chmod 644 {} \;
# Secure settings.php
chmod 444 /var/www/drupal-site/sites/default/settings.php
# Set ownership
sudo chown -R www-data:www-data /var/www/drupal-site
Apache (.htaccess in sites/default/files):
<Files "*.php">
Deny from all
</Files>
Nginx:
location ~* /sites/default/files/.*\.php$ {
deny all;
}
Consider installing these security modules:
- Security Kit: Provides additional security headers and settings
- Two-factor Authentication (TFA): MFA for user accounts
- Login Security: Limit login attempts, IP blocking
- Captcha/ReCAPTCHA: Prevent automated attacks
- Password Policy: Enforce strong password requirements
- Regular updates: Apply security updates within 24-48 hours of release
- Module audit: Regularly review enabled modules and remove unused ones
- User permissions: Follow principle of least privilege
- Backup strategy: Regular backups with off-site storage
- Security scanning: Use tools like Drupal Security Review module
- Error handling: Disable error messages in production
- Drupal security docs: https://www.drupal.org/docs/security-in-drupal
- Drupal security advisories: https://www.drupal.org/security
- Drupal security team: https://www.drupal.org/drupal-security-team
- Drupal source: https://git.drupalcode.org/project/drupal