Top tips: How to protect your Drupal website

Post by Mike C Picture of Mike C
Reading time 3 mins clock

The extraordinary scale of the WannaCry ransomware infection has acted as a dramatic warning to organisations in all sectors. With thousands of organisations worldwide – including a significant proportion of the NHS – falling victim to the ransomware, it’s a timely reminder of the importance of robust cybersecurity.


Your organisation’s website is potentially one of the biggest parts of your overall ‘attack surface’, which cybercriminals will probe for a route into your network. As such, it is vital to implement solid tools and processes specifically designed to protect it against attack – and those tools and processes should be tailored to the content management system underpinning your site.

So, if your site is built on Drupal, what are the best practices you should be following?

1. Upgrade to the latest version of Drupal

The WannaCry attack has proliferated so dramatically because it relies on an exploit in an old version of Windows – one that Microsoft is no longer supporting. It is usual commercial practice for vendors and manufacturers to gradually withdraw support from older hardware and software – this is the case with Drupal, as with Microsoft. If you have not yet migrated to the latest version – Drupal 8 – that should be your first priority.

2. Upgrade to the latest version of modules

Drupal is a modular CMS, with thousands of options available to extend your basic system. As such, it is not enough to simply ensure you’re running the latest, best-protected version of Drupal – you need to make sure you’re doing the same with each individual module. The author of each extension is responsible for providing appropriate security upgrades and patches, but these will generally only apply to the latest version of the module. If you’re running an old one, you’re not protected.

3. Remove unnecessary modules

By the same token, running modules on your site that you no longer need is simply increasing your potential attack surface – and your security management burden. Implement a process to ensure that you are continually reviewing all of the modules you have added, and get rid of the surplus.

4. Use the Status Report tool

The Status Report functions sits within your Drupal Admin area. Its job is to alert you to any issues with the code base underpinning your site – which includes out of date modules and code. It is the easiest way to keep on top of your website management and ensure that you are deploying the latest versions of everything. Don’t forget to enable your core update manager module so that you get regular notifications.

5. Practice strong user management

As the old saying goes, people are the weakest link in any security chain. Keeping a tight handle on the people who actually use your website can dramatically shore up your overall security posture. Undertake a regular check to ensure that you are removing inactive users such as those who have left the organisation, and ensure that those who remain only have access to the minimum areas of the site they need to, not the whole site by default.

Various functions are available within Drupal to shore up login and user processes, such as the Login Security module, which restricts unauthorised access attempts, and blocking the ‘user #1’ account that is created during setup, which automatically has all permissions in place.

6. Monitor your logs

Drupal’s integrated log viewer, within the reports area, is an extremely valuable tool when it comes to ascertaining that a cyberattack is taking place and assessing what has actually happened. Make sure you check your log reports regularly, and are alert to early warning signs such as failed login attempts.

7. Enable HTTPS

HTTPS is most commonly used for ecommerce sites and online banking, but any site that transfers sensitive information between user and web server should also be using it.

These seven best practices will have a dramatic effect on the overall security of your Drupal website, and ensure you can continue benefitting from the flexibility of the platform without sacrificing protection.

For all our clients who host with Ixis we've introduced a new additional service to provide a web application firewall (WAF) and intrusion prevention system (IPS) which we're encouraging to be used on all websites. Set-up to straight forward and provides a weekly report for each of your sites.


To find out more about the system and cost for your sites get in touch with the sales team.


Mike C

Managing Director

17 years of Drupal development wrangling and a background in digital project architecture.

Add new comment

Share this article

Sign up to our newsletter!

Our thoughts

Let's work together

Get in touch and find out how we can empower your organisation.
Back to top