Return
X Linkedin
Drupal

Our 7 favorite modules to improve Drupal 8 security

Published on 08 July 2019
Drupal 8 security modules
A highly suggestive list, but tested in real conditions to further enhance Drupal's security and make your life easier!

Rename Admin Path

Rename Admin Path allows you, as its name suggests, to change the default administrative URL as well as user account URLs (/user) as you wish.

Rename

Why is this module useful?

To prevent clever individuals who are familiar with the administration URLs of the most widely used CMSs from attempting attacks such as brute force, for example. This module does not provide any special mechanisms against this type of attack but simply changing the default URL greatly limits these attempts.

It is especially extremely useful against bots that create accounts en masse on sites where registration is open.

Password Policy

This module lets you customize the site's password policy.

For example, if you require a capital letter, a number, and a special character, no user can create a password unless they follow the specified requirements.

By making passwords more complex, you increase the time required for the success of dictionary and other so-called brute force techniques.

In fact, it's essential for following a DPO’s recommendations within the framework of the GDPR.

Login Security

This module improves security during the login process to your Drupal site.

By enabling the module, an administrator can limit the number of invalid login attempts before blocking accounts or, by denying access by IP address, either temporarily or permanently.

Optionally, Login Security can alter the Drupal Core login error messages and limit the reasons for login failures being revealed. This makes it harder for an attacker to determine if a given account exists.

Finally, this module can interface with the Nagios system to alert your system administrators in case of repeated attacks.

Autologout

Considered an important security module, it allows you to define the session expiration time for any user. It gives the site administrator the ability to log users out after a specified period of inactivity to keep your data secure.

Additionally, it's highly customizable and allows the administrator to set up and disable session expiration for different user roles. It includes a JS mechanism to keep users logged in even if they're working on a form for an extended period.

Security Kit

SecKit provides Drupal with various options to strengthen security.

This allows you to mitigate the risk of exploiting common web application vulnerabilities:

  • Cross-site Scripting
  • Cross-site Request Forgery
  • Clickjacking
  • SSL/TLS

A great foundation!

Session Limit

Session Limit allows administrators to restrict the number of simultaneous sessions per user. This module prompts the user to log out of any extra session after exceeding the number of sessions set by the administrator. A session is defined for each browser from which a user can sign in.

HoneyPot

This is a SPAM detection module that uses form fields to confuse spammers posting on your Drupal site.

The best alternative to captchas in our view is the HoneyPot module.

When properly configured, spambots are prompted to fill out forms that are otherwise invisible to other (human) users.

Its main advantage is that it does not require any complicated actions from the user and, nonetheless, remains effective!

Furthermore, it doesn't rely on Google...

@lcoullet

Read more articles on Drupal