10 Enterprise Level Security Features Every Drupal 8 Site Should Consider

Post by Paul B Picture of Paul B
Reading time 3 mins clock

We recently evaluated Drupal Guardr: a Drupal distribution comprising a combination of modules and settings to enhance a Drupal application’s security and availability to meet enterprise security requirements. While the distribution is a good place to start when building a new Drupal 8 site with security in mind, you or your developer can still add the various modules, components and settings to increase the level of security on your existing Drupal 8 site.

Looking on how to secure your WordPress site?

Check out these steps on our other blog: 5 Security Features Every WordPress Site Should Consider.

1. Automated Logout

This module allows a site administrator to configure a specified time of inactivity after which a user is logged out.

2. Login History

This module adds a new table which stores information about individual user logins, including a timestamp, IP address, user agent information, and whether or not the login was via a reset password link.

3. Login Security

This module improves the security options in the login operation of a Drupal site. A site administrator may protect and restrict access by adding access control features to the login forms, such as limiting the number of invalid login attempts before blocking accounts, denying access by IP address (temporarily or permanently).

4. Mass Password Reset

This module allows site administrators to reset all user accounts and optionally notify all users by email using the Drupal password recovery email. This can be useful when you have a large number of user accounts pre-created and want to send password recovery emails to all users during a site launch, or if you need to quickly change all passwords on a site for security reasons.

5. Password Policy

This module provides a way to enforce restrictions on user passwords by defining password policies. A password policy can be defined with a set of constraints which must be met before a user password change will be accepted. Each constraint has a parameter allowing for the minimum number of valid conditions which must be met before the constraint is satisfied. Constraints are things like character types, inclusion of digits/letters etc.

The module also implements a password expiration feature. The user is forced to change their password and is optionally blocked when their old password expires.

6. Redirect 403 to User Login

This module enables the redirection of any Access Denied (403) error pages to the user login page with an optional message. Once the user logs in, they are taken to the URL they were originally trying to visit.

7. Security Kit

This module includes various security-hardening options. This lets you mitigate the risks of exploitation of different web application vulnerabilities, such as Cross-site Scripting, Cross-site Request Forgery and Clickjacking attacks.

8. Security Review

This module automates testing for many of the easy-to-make mistakes that render your site insecure, such as safe file system permissions, text formats don't allow dangerous tags, PHP or Javascript in content, safe error reporting, secure private files and many more. The module does not automatically make changes to your site, instead provides a checklist which can be used to manually secure your site.

9. Session Limit

This module allows site administrators to limit the number of simultaneous sessions per user (with the maximum number of sessions being configurable). By default, a session is created for each browser that a user uses to log in. This module will force the user to log out any extra sessions after they exceed the maximum.

10. Username Enumeration Prevention

Username enumeration is a technique used by malicious actors to identify valid usernames on a web application, which can then be used in other attacks such as credential stuffing. This module aims to mitigate common ways of anonymous users identifying valid usernames on a Drupal site. It does this by (for example) providing warnings on the admin status report if the site configuration could expose usernames and preventing the password reset form from displaying messages which identify existing usernames.

The Guardr Core module also makes a few configuration changes that you may also want to consider.

  • Disable the personal contact form - this is enabled by default and often not required.
  • Unless your user registration model requires otherwise, ensure only administrators can register new user accounts.
  • Change the update manager settings to check for updates of uninstalled modules and themes - you may end up re-enabling them at a later date.



Paul B

Development Manager

Manager of all things development related at Ixis. Looking after the clients from discovery time to delivery of complete web builds.

Add new comment

Share this article

Sign up to our newsletter!

Our thoughts

Let's work together

Get in touch and find out how we can empower your organisation.
Back to top