Drupal is increasingly gaining some popularity popularity and at the same time it is also becoming a big target for cyber criminals. There are thousands of CMS platforms out there but we should not forget that hackers are really good at what they do so it hardly matters for them what kind of website you run. Hence, to be on a safer side it is imperative for you to secure your website. This tutorial takes us through the guidelines to Improve the Security of your Drupal Website.
You will also want to read:
A Basic Guide to Drupal Website Managemen
You will also want to read:
A Basic Guide to Drupal Website Managemen
Drupal Website Maintenance tutorial
How to Speed Up Your Drupal Website
How to address "failed Drupal Clean url Test"
Installing a new Drupal website
Let us now look at these guidelines one after the other:
- Updating your site regularly
This is one thing which everybody knows but only a few apply it and it make it their practice. The bugs and security issues that were present in the previous version have been fixed in the new one and by updating your Drupal website on a regular basis, you are protecting it well from the hackers. Make sure that whenever the core modules in your Drupal site are released they are always up-to-date to the latest version.
- Strong admin password
Password is the area where you should put your main focus. Everybody use passwords and they know its value and what crucial part it plays in a website. Still many people commit mistakes by keeping a very generic password which is very easy to predict. This makes the security of your site weak. You should put a very difficult , strong and impossible to predict password. A good way of strengthening your password is by keeping it alpha-numeric along with upper case and lower case text.
- Change Password Often
Password of your website should be changed in every 90 days, at least once. It is not safe to keep one password for a long time as it reduces the risk of security. Hence, changing password oftenly is a good way to secure your site.
- Backup
Keeping a backup of your work is always a good practice. Taking a backup of your working site before making any changes to it is a good practice of securing yourself from any future risks. Make sure that your backup is kept locally and not on web servers as keeping it on web servers might increase the security risks of your Drupal site.
- Restrict Uploading
Drupal consist of a core module called `Upload Module' which enables the users to upload image files. Make sure that you limit the types of files for uploading.
Providing a good experience to the users is a must for you, and this can be done by securing your Drupal site. If your visitors will face security obstacles constantly, they will definitely not return again to your site. Hence, to achieve success in your business it is important for you to secure your website.
You will also want to read:
A Basic Guide to Drupal Website Managemen
How to change your Drupal website password
This section will show you how to change the password for your Drupal website.
First you need to login to your Drupal site before you proceed with the rest of the tutorial.
1) Click the your user account in the top right corner
2) Then click the Edit tab
3) Enter a new password here
4) Then click Save
The password has been successfully changed
That is it. You now know how to change your Drupal password
How to change Drupal admin username
In this section, we will show you how to change the default admin username for your Drupal website. This can be helpful to basic attempts to illegally gain access to your website.
1) Login to your Drupal admin account.
2) Go to the People page.
3) Click the Edit link for the admin account.
4) Enter the new username you wish to use.
5) Click save
How to update your Drupal website version
Keeping your site up-to-date is very important because it helps reduce the possibility of unpatched security vulnerability being used to breach your site.
You can tell you need to update when you see the following notice in your admin dashboard.
update
Begin with a backup.
No matter how you upgrade your site, we HIGHLY recommend that you backup your website before attempting any upgrade process.
Plugins/Modules/Themes
Please be aware that some updates may break plugins, modules and/or themes you have installed. It is recommended that you check to make sure that all the plugins and themes you use are compatible with the new version of Drupal you plan on upgrading too.
How to Upgrade Drupal
We are now going to show you two methods of updating your site.
Web Apps via cPanel
This method requires that you installed Drupal via the Web Apps tool in cPanel.
1) Login to Site Admin
2) Go to the Install & manage Web Apps link from the Web Apps section of the left menu.
3) Click Manage Installed Apps
4) Click the Upgrade link under the version number of the site you wish to
5) Click the Upgrade button when prompted
6) You may be prompted to visit a link after the files have been upgraded. If you are, please click the link and follow the steps located on the page. This is so that the database and other configuration files can be updated.
Once you have followed all the steps on the final page (step 6), your site should be fully updated.
Manuel Update
This method requires basic knowledge of FTP and how to transfer files.
Because of the complicated nature behind manual updates, we recommend following the steps located at drupal website
How to Stop Spam in Drupal
Drupal is a popular software and content management system used for classic website production. Like every other software, Drupal has its downsites, one of which is the issue of spam.
This post will teach you how to deal with this problem. How to overcome spamming issues associated with Drupal.
The following steps will guide you through overcoming this very serious problem in Drupal:
1. Approval features
By default, Drupal has a feature that allows you to either completely block or moderate all user registrations.
Go to Configuration > Account settings. You can set "Who can register accounts" to a couple of useful settings:
Administrators only: this will block all registrations.
Visitors, but administrator approval is required: This will require you to manually approve all users.
You will also want to read:
A Basic Guide to Drupal Website Managemen
2. E-mail verification
This feature allows you to require e-mail verification before a user account becomes active. This adds a significant hurdle for spammers. Go to Configuration > Account settings to enable this feature.
3. Block certain user details
If you have a lot of spam registrations, there's a good chance there will be some patterns in the spam user details. For example, you might have a lot of users signing up as "John Smith" or using .ru email addresses.
Certain features with Drupal user_restrictions allows you to block both emails and usernames based on certain patterns.
4. Enable Captchas
Captcha provides easy integration with your Drupal registration forms.
However, Captchas have several problems. They can often be hard for even normal users to see. They are also not good for users with visual disabilities.
5. Block by location
Drupal allows you to black-list or to white-list access to a Drupal site by countries. It's not the most sophisticated technique because determined spammers will find a way around these restrictions, but it will block a lot of low-level spam attempts.
6. Use 3rd party spam tools
There a wide variety of 3rd party systems that try to prevent spam registrations. These are often paid services. We will noe eamine 10 ways that generally help to stop spam in Drupal
10 Ways to Stop Spam in Drupal
Complaints about spam user registrations in Drupal abound. In this tutorial, we show you 10 ways to stop spam registrations in Drupal.
#1. Core approval features
Drupal has a default feature that allows you to either completely block or moderate all user registrations.
Go to Configuration > Account settings. You can set "Who can register accounts" to a couple of useful settings:
Administrators only: this will block all registrations.
Visitors, but administrator approval is required: This will require you to manually approve all users.
#2. E-mail verification
Another Drupal core feature allows you to require e-mail verification before a user account becomes active. This add a significant hurdle for spammers. Go to Configuration > Account settings to enable this feature.
https://drupal.org/project/user_verify add some more sophisticated options to the email verification process, including the requirement for the user to enter a special token.
#3. Block certain user details
If you have a lot of spam registrations, there's a good chance there will be some patterns in the spam user details. For example, you might have a lot of users signing up as "John Smith" or using .zu email addresses.
https://drupal.org/project/user_restrictions allows you to block both emails and usernames based on certain patterns. Here's an example which blocks .zu domains:
#4. Captchas
A Captcha presents a visual challenge that is supposed to be difficult for spammers to solve. https://drupal.org/project/captcha provides easy integration with your Drupal registration forms.
However, Captchas have several problems. They can often be hard for even normal users to see. They are also not good for users with visual disabilities.
https://drupal.org/project/riddler is an interesting variation on a captchas. It allows you to ask a question that will probably stump spambots:
#5. Honeypots / Secret form fields
One spam-defeating technique that we've found to be very effective is hidden fields. You add an extra input field to every form and then hide it with CSS. Humans never see the field but spambots do and when they fill in the field the form is discarded.
https://drupal.org/project/spamicide is a module that makes it easy to create hidden fields.
This technique is often called a Honeypot and there's a module with the same name: https://drupal.org/project/honeypot. Click here to read the modules's author explaining the meaning behind the name "Honeypot".
There are some funny variations on this idea. For example, https://drupal.org/project/simpleantispam add a visible checkbox marked "I'm not a spammer" and a hidden checkbox marked "I'm a spammer":
#6. Block by location
http://drupal.org/project/geoblocker allows you to black-list or to white-list access to a Drupal site by countries.
It's not the most sophisticated technique because determined spammers will find a way around these restrictions, but it will block a lot of low-level spam attempts.
Certainly it's worth considering if your site is specifically focused on one location and you have little to no interest in overseas users.
#7. Secret codes
If you have a site without a large audience, you could consider giving out a secret code to potential members.
https://drupal.org/project/mothermayi allows you set a secret code that people must enter in order to register successfully.
#8. 3rd party spam tools
There a wide variety of 3rd party systems that try to prevent spam registrations. These are often paid services. Here are some of the most popular:
Mollom: https://drupal.org/project/mollom
Stop Forum Spam: https://drupal.org/project/spambot
Cloudflare: https://drupal.org/project/cloudflare
#9. Delayed roles
https://drupal.org/project/role_delay is an interesting approach. It allows you to slowly give users more permissions over time.
For example, a brand new user might not be able to post comments or forum posts. Over time they can automatically be moved into Drupal user roles with more permissions.
#10. Warning message
https://drupal.org/project/warning made me smile. Instead of providing a sophisticated technical solution, the Warning module simple tells your users that you won't tolerate spam.
You will also want to read:
A Basic Guide to Drupal Website Managemen
Drupal Website Maintenance tutorial
How to Speed Up Your Drupal Website
How to address "failed Drupal Clean url Test"
Installing a new Drupal websiteHow to change your Drupal website password
This section will show you how to change the password for your Drupal website.
First you need to login to your Drupal site before you proceed with the rest of the tutorial.
1) Click the your user account in the top right corner
2) Then click the Edit tab
3) Enter a new password here
4) Then click Save
The password has been successfully changed
That is it. You now know how to change your Drupal password
How to change Drupal admin username
In this section, we will show you how to change the default admin username for your Drupal website. This can be helpful to basic attempts to illegally gain access to your website.
1) Login to your Drupal admin account.
2) Go to the People page.
3) Click the Edit link for the admin account.
4) Enter the new username you wish to use.
5) Click save
How to update your Drupal website version
Keeping your site up-to-date is very important because it helps reduce the possibility of unpatched security vulnerability being used to breach your site.
You can tell you need to update when you see the following notice in your admin dashboard.
update
Begin with a backup.
No matter how you upgrade your site, we HIGHLY recommend that you backup your website before attempting any upgrade process.
Plugins/Modules/Themes
Please be aware that some updates may break plugins, modules and/or themes you have installed. It is recommended that you check to make sure that all the plugins and themes you use are compatible with the new version of Drupal you plan on upgrading too.
How to Upgrade Drupal
We are now going to show you two methods of updating your site.
Web Apps via cPanel
This method requires that you installed Drupal via the Web Apps tool in cPanel.
1) Login to Site Admin
2) Go to the Install & manage Web Apps link from the Web Apps section of the left menu.
3) Click Manage Installed Apps
4) Click the Upgrade link under the version number of the site you wish to
5) Click the Upgrade button when prompted
6) You may be prompted to visit a link after the files have been upgraded. If you are, please click the link and follow the steps located on the page. This is so that the database and other configuration files can be updated.
Once you have followed all the steps on the final page (step 6), your site should be fully updated.
Manuel Update
This method requires basic knowledge of FTP and how to transfer files.
Because of the complicated nature behind manual updates, we recommend following the steps located at drupal website
How to Stop Spam in Drupal
Drupal is a popular software and content management system used for classic website production. Like every other software, Drupal has its downsites, one of which is the issue of spam.
This post will teach you how to deal with this problem. How to overcome spamming issues associated with Drupal.
The following steps will guide you through overcoming this very serious problem in Drupal:
1. Approval features
By default, Drupal has a feature that allows you to either completely block or moderate all user registrations.
Go to Configuration > Account settings. You can set "Who can register accounts" to a couple of useful settings:
Administrators only: this will block all registrations.
Visitors, but administrator approval is required: This will require you to manually approve all users.
You will also want to read:
A Basic Guide to Drupal Website Managemen
Drupal Website Maintenance tutorial
How to Speed Up Your Drupal Website
How to address "failed Drupal Clean url Test"
Installing a new Drupal website2. E-mail verification
This feature allows you to require e-mail verification before a user account becomes active. This adds a significant hurdle for spammers. Go to Configuration > Account settings to enable this feature.
3. Block certain user details
If you have a lot of spam registrations, there's a good chance there will be some patterns in the spam user details. For example, you might have a lot of users signing up as "John Smith" or using .ru email addresses.
Certain features with Drupal user_restrictions allows you to block both emails and usernames based on certain patterns.
4. Enable Captchas
Captcha provides easy integration with your Drupal registration forms.
However, Captchas have several problems. They can often be hard for even normal users to see. They are also not good for users with visual disabilities.
5. Block by location
Drupal allows you to black-list or to white-list access to a Drupal site by countries. It's not the most sophisticated technique because determined spammers will find a way around these restrictions, but it will block a lot of low-level spam attempts.
6. Use 3rd party spam tools
There a wide variety of 3rd party systems that try to prevent spam registrations. These are often paid services. We will noe eamine 10 ways that generally help to stop spam in Drupal
10 Ways to Stop Spam in Drupal
Complaints about spam user registrations in Drupal abound. In this tutorial, we show you 10 ways to stop spam registrations in Drupal.
#1. Core approval features
Drupal has a default feature that allows you to either completely block or moderate all user registrations.
Go to Configuration > Account settings. You can set "Who can register accounts" to a couple of useful settings:
Administrators only: this will block all registrations.
Visitors, but administrator approval is required: This will require you to manually approve all users.
#2. E-mail verification
Another Drupal core feature allows you to require e-mail verification before a user account becomes active. This add a significant hurdle for spammers. Go to Configuration > Account settings to enable this feature.
https://drupal.org/project/user_verify add some more sophisticated options to the email verification process, including the requirement for the user to enter a special token.
#3. Block certain user details
If you have a lot of spam registrations, there's a good chance there will be some patterns in the spam user details. For example, you might have a lot of users signing up as "John Smith" or using .zu email addresses.
https://drupal.org/project/user_restrictions allows you to block both emails and usernames based on certain patterns. Here's an example which blocks .zu domains:
#4. Captchas
A Captcha presents a visual challenge that is supposed to be difficult for spammers to solve. https://drupal.org/project/captcha provides easy integration with your Drupal registration forms.
However, Captchas have several problems. They can often be hard for even normal users to see. They are also not good for users with visual disabilities.
https://drupal.org/project/riddler is an interesting variation on a captchas. It allows you to ask a question that will probably stump spambots:
#5. Honeypots / Secret form fields
One spam-defeating technique that we've found to be very effective is hidden fields. You add an extra input field to every form and then hide it with CSS. Humans never see the field but spambots do and when they fill in the field the form is discarded.
https://drupal.org/project/spamicide is a module that makes it easy to create hidden fields.
This technique is often called a Honeypot and there's a module with the same name: https://drupal.org/project/honeypot. Click here to read the modules's author explaining the meaning behind the name "Honeypot".
There are some funny variations on this idea. For example, https://drupal.org/project/simpleantispam add a visible checkbox marked "I'm not a spammer" and a hidden checkbox marked "I'm a spammer":
#6. Block by location
http://drupal.org/project/geoblocker allows you to black-list or to white-list access to a Drupal site by countries.
It's not the most sophisticated technique because determined spammers will find a way around these restrictions, but it will block a lot of low-level spam attempts.
Certainly it's worth considering if your site is specifically focused on one location and you have little to no interest in overseas users.
#7. Secret codes
If you have a site without a large audience, you could consider giving out a secret code to potential members.
https://drupal.org/project/mothermayi allows you set a secret code that people must enter in order to register successfully.
#8. 3rd party spam tools
There a wide variety of 3rd party systems that try to prevent spam registrations. These are often paid services. Here are some of the most popular:
Mollom: https://drupal.org/project/mollom
Stop Forum Spam: https://drupal.org/project/spambot
Cloudflare: https://drupal.org/project/cloudflare
#9. Delayed roles
https://drupal.org/project/role_delay is an interesting approach. It allows you to slowly give users more permissions over time.
For example, a brand new user might not be able to post comments or forum posts. Over time they can automatically be moved into Drupal user roles with more permissions.
#10. Warning message
https://drupal.org/project/warning made me smile. Instead of providing a sophisticated technical solution, the Warning module simple tells your users that you won't tolerate spam.
