The top 5 Drupal security modules


Drupal is a multi-faceted CMS. Originally designed as a collective blog, it has a wide variety of possible applications today: from the corporate website to the community portal, Drupal does it all!

It was designed in the 2000s by Dries Buytaert and has enjoyed worldwide success ever since. An enormous community has formed around the product.

If LP Digital uses Drupal this is not only for its power but also because its strength lies in its expandability. This Open Source CMS allows to easily include a great amount of new and very sophisticated modules particularly suited to corporate social networks. But each professional site has to be built on a fundamental concept: security

  1. Password policy

The Password policy module has been used by more than 20.000 sites. I t has been downloaded more than 260.00 times. 


This module provides a way to specify a certain level of password complexity (aka. "password hardening") for user passwords on a system by defining a password policy.

A password policy can be defined with a set of constraints which must be met before a user password change will be accepted. The module also implements a password expiration feature. The user gets blocked or is forced to change his password when his old password expires.

Administrators can force specific users or entire roles to change their password on their next login and can made a password tab available to users instead of the usual user/#/edit screen for password changes.

                  2.Security kit

SecKit provides Drupal with various security-hardening options. This lets your mitigate the risks of exploitation of different web application vulnerabilities.


Module allows security in four important categories: cross-site scripting, cross-site request forgery, clickjacking and SSL/TLS Cross-site scripting. 

Module provides Drupal installation with various security hardening options. This lets your mitigate the risks of exploitation of different web application vulnerabilities.


                          3.Security review

Around 34.000 sites have this module and has been downloaded more than 270.000 times.




The Security Review module automates testing for many of the easy-to-make mistakes that render your site insecure.

This module does not automatically make changes to your site. You should use the results of the checklist and its resources to manually secure your site. The results of some checks may be incorrect depending on unique factors of your site.

Security is a process, so you should work to pass all of the Security Review checks and also audit your site for risks this module cannot check for.


                 4.Username Enumeration Prevention

This module has been used by more than 7.000 sites and been downloaded by 29.000 Drupal users.


By default Drupal is very secure (especially Drupal 7). However, there is a way to exploit the system by using a technique called username enumeration. Both Drupal 6 and 7 have this issue, but it is much worse for people using Drupal 6. This is because Drupal 6 does not have any built in brute force prevention. When an attacker knows a username they can start a brute force attack to gain access with that user. To help prevent this, it is best if usernames on the system are not easy to find out.

Attackers can easily find usernames that exist by using the forgot password form and a technique called “username enumeration”. The attacker can enter a username that does not exist and they will get a response from Drupal saying so. All the attacker needs to do is keep trying usernames on this form until they find a valid user.

This module will stop this from happening. When the module is enabled, the error message will be replaced for the same message as a valid user and they will be redirected back to the login form. If the user does not exist, no password reset email will be sent, but the attacker will not know this is the case.

                           5.Generate Password

More than 6.000 sites are using the Generate Password module. It has been downloaded almost 32.000 times.

This is a great utility module which makes the password field optional (or hidden) on the add new user page (admin & registration). If the password field is not set during registration, the system will generate a password. You can optionally display this password at the time it's created.

For configuration parameters, you will simply need to change the settings on the parameters page and to modify the password generation behavior.



You can also find external services to protect your site against robot attacks such as Securi or SiteLock which offers a scanner scripts if you site has already been infected. WRA Protect is also a very efficient module that stops the source of hacker attacks. This is a sophisticated system which sends alerts and has an artificial intelligence, in a nutshell this is a kind of Firewall coming along with an antivirus, combined with a real time system analysis for all users.



Sources :