We recently evaluated Drupal Guardr: a Drupal distribution comprising a combination of modules and settings to enhance a Drupal application’s security and availability to meet enterprise security requirements. While the distribution is a good place to start when building a new Drupal 8 site with security in mind, you or your developer can still add the various modules, components and settings to increase the level of security on your existing Drupal 8 site.
This module allows a site administrator to configure a specified time of inactivity after which a user is logged out.
This module adds a new table which stores information about individual user logins, including a timestamp, IP address, user agent information, and whether or not the login was via a reset password link.
This module improves the security options in the login operation of a Drupal site. A site administrator may protect and restrict access by adding access control features to the login forms, such as limiting the number of invalid login attempts before blocking accounts, denying access by IP address (temporarily or permanently).
This module allows site administrators to reset all user accounts and optionally notify all users by email using the Drupal password recovery email. This can be useful when you have a large number of user accounts pre-created and want to send password recovery emails to all users during a site launch, or if you need to quickly change all passwords on a site for security reasons.
This module provides a way to enforce restrictions on user passwords by defining password policies. A password policy can be defined with a set of constraints which must be met before a user password change will be accepted. Each constraint has a parameter allowing for the minimum number of valid conditions which must be met before the constraint is satisfied. Constraints are things like character types, inclusion of digits/letters etc.
The module also implements a password expiration feature. The user is forced to change their password and is optionally blocked when their old password expires.
This module enables the redirection of any Access Denied (403) error pages to the user login page with an optional message. Once the user logs in, they are taken to the URL they were originally trying to visit.
7. Security Kit
This module includes various security-hardening options. This lets you mitigate the risks of exploitation of different web application vulnerabilities, such as Cross-site Scripting, Cross-site Request Forgery and Clickjacking attacks.
This module allows site administrators to limit the number of simultaneous sessions per user (with the maximum number of sessions being configurable). By default, a session is created for each browser that a user uses to log in. This module will force the user to log out any extra sessions after they exceed the maximum.
Username enumeration is a technique used by malicious actors to identify valid usernames on a web application, which can then be used in other attacks such as credential stuffing. This module aims to mitigate common ways of anonymous users identifying valid usernames on a Drupal site. It does this by (for example) providing warnings on the admin status report if the site configuration could expose usernames and preventing the password reset form from displaying messages which identify existing usernames.
The Guardr Core module also makes a few configuration changes that you may also want to consider.
- Disable the personal contact form - this is enabled by default and often not required.
- Unless your user registration model requires otherwise, ensure only administrators can register new user accounts.
- Change the update manager settings to check for updates of uninstalled modules and themes - you may end up re-enabling them at a later date.