Drupal is quite secure from the start. Admittedly, I don't have deep experience with the Drupal content management system (CMS). I've only used it for testing features and comparing workflows to other website builders and applications. I like the Burndown kanban Drupal module. I know enough to help a new Drupal site owner who understands the importance of being proactive with website security. Below are some basic security recommendations.
I haven't seen any Black-owned businesses using Drupal, but it might be worth a try if you have web development skills and want to stand out from the plentiful Shopify and WordPress-based online stores.
Improve Server Security
Start with the web server and web hosting account.
- Use strong passwords, at least a dozen alphanumeric characters with special characters.
- Enable two-factor authentication (TFA/2FA) for your web hosting account, server control panel, and Drupal site.
- Store your passwords in a password manager (e.g. KeePass or LastPass).
If you have a Drupal hosting account, meaning that you only have your web hosting billing account and a Drupal login (no direct access to the web server), you can skip to the Drupal modules section.
PHP Updates and System Security
- There's a new PHP version seemingly every six months. Use the latest version supported by your Drupal version and essential PHP modules.
- Install something to harden PHP security like ModSecurity or Snuffleupagus.
- Run scheduled malware scans with ClamAV or ImunifyAV. If you install ClamAV on your server, you can integrate the ClamAV Drupal module.
- Set up firewalls and close all unnecessary ports.
Drupal Security Modules
There are many security and performance settings natively available in Drupal. Configure those first.
Security Kit for Security HTTP Headers
Security HTTP headers are easier to code in the command-line interface (CLI) if you have SSH access and are comfortable with the terminal. The Security Kit (SecKit) Drupal module lets you configure HTTP headers from the dashboard to prevent cross-site scripting (XSS), click-jacking, and SSL/TLS/PKI certificate downgrading attacks with:
- HTTP Strict Transport Security (HSTS)
- Content Security Policy (CSP)
- Permissions Policy (formerly Feature policy)
Redirect Broken Links
Redirect does exactly what it seems to do: redirects URLs. It also tracks broken (404 error) links across your website. Fixing broken links is an easy search engine optimization (SEO) technique that can prevent you from having to browse web analytics for the same data.
Web analytics software tracks multiple things:
- Page views
- Where visitors come from and go after reaching a web-page
- What bots (benign and malicious) are crawling your site
- For many website owners, enough to negate the need for Security Information and Event Management (SIEM) solutions like Splunk
Web analytics applications can be installed on the server or Drupal site, or integrated from an external software-as-a-service (SaaS). My top three recommended solutions:
- Google Analytics is the most popular option and easy to integrate.
- Matomo Analytics is a self-hosted free open-source software (FOSS) that needs to be installed on your server to track user activity. I think it's easier to use but I'm biased towards FOSS.
The security.txt is a proposed standard for sharing how to report website security issues, public encryption keys for secure communication, and links to your security policy pages. You can set this manually on your web server or use the Security.txt module to do so in the back-end.
You must have a disaster recovery (DR) solution in place for when things go "FUBAR." System snapshots are great if they're supported by your web hosting provider. But you'll still need zip or tar.gz archives of your website code and databases. You can create backups from the web hosting panel or Drupal. With Backup and Migrate you can manually and schedule Drupal data backups and restorations between file transfer protocol (FTP) and other cloud storage solutions.