Still on Drupal 7? Security support for Drupal 7 ended on 5 January 2025. Please visit our Drupal 7 End of Life resources page to review all of your options.Writing secure code for Drupal
Following best practice while writing your own code can help keep it, and your website, secure
Security of generated PHP files
Drupal 8 generates PHP files programmatically, and attackers need to be prevented from doing the same
Secure configuration for site builders
Following best practices for configuring your site can keep your website secure.
Accepting Payments Online: Drupal and PCI Compliance
The Payment Card Industry (PCI) has defined a number of Data Security Standards when accepting sensitive information such as credit card
Authentication improvements
This section is not intended to be a list of available authentication endpoints for Drupal, or a third-party integration module list. The
CAPTCHA configuration options
This document explains all options on the CAPTCHA General settings configuration page of the CAPTCHA module. To access the CAPTCHA module
CAPTCHA module: spam control
A CAPTCHA is a challenge-response test most often placed within web forms to determine whether the user is human. The purpose of the CAPTCHA
Configuring cron for HTTP authentication
If HTTP authentication is forced, cron jobs will need to authenticate themselves. See Configuring cron jobs for more details on configuring
Configuring text formats (aka input formats) for security
Drupal's Input Formats provide a variety of benefits. They can be used to enhance the functionality of your site but one of the main
Deleting users who have written nodes/comments can lead to access bypass
Drupal sites can allow users to be deleted or even for users to delete themselves. This can sometimes lead to unexpected situations where
Detection and Prevention
These modules may help in detection and prevention of security issues on a Drupal site. Unfortunately, some of them require an skilled
Disable the permissions interface using Secure Permissions
Secure Permissions disables the user interface for creating and assigning roles and permissions.
Egglue CAPTCHA
The Egglue CAPTCHA module uses the Egglue Semantic CAPTCHA web service to improve the CAPTCHA module with semantics. Unlike conventional
Enabling HTTP Secure (HTTPS)
HTTPS is a protocol which makes communication with a website secure; it keeps the data between the website and the visitor.
Enhancing security using contributed modules
This section provides information about the various contributed modules that enhance security.
Frequently asked questions
Questions and answers commonly asked of the Drupal Security Team.
Gotcha module: contact spam catcher
Gotcha is sort of a take off on "captcha." The idea was first mentioned on http://drupal.org/node/166921 as a possible way to trick spam
Hashcash module
The Hashcash module implements the Hashcash algorithm, which was originally created as a means of preventing spam emails.Installing this
Hide, obscure, or remove clues that a site runs on Drupal
Many times, new users with an incomplete idea of "security" ask:
Hiding information from visitors
If someone is attacking your site and is able to determine information about which version of Drupal or which specific modules or themes you
Honeypot: spam bot form protection
Honeypot uses both the honeypot and timestamp methods of deterring spam bots from completing forms on your Drupal site. These methods are
How to add CAPTCHA Challenge to a Content Type
Assumptions
IP & email blocklisting modules
IP blocklisting is a common operation in public services. This feature should only be used as the 'last resort' when you have not more
Is Drupal secure?
Drupal has a very good track record in terms of security, and has an organized process for investigating, verifying, and publishing possible
Known issue with cURL and outdated root certificates
Symptoms
Legal issues helpers
These modules provide various types of legal support:
Login Security module / Lacking features / other modules & integration
Login Security module improves the security options in the login operation of a Drupal site. By default, Drupal introduces only basic access
Miscellaneous security modules
The following list of modules provide additional security capabilities:
Moving all PHP files out of the docroot
Traditionally all Drupal core, vendor and module PHP files are in the webserver accessible document root folder. This is a security weakness
My site was defaced ("hacked"). Now what?
Basics
Password management
Passwords are key to user authorization and authentication in Drupal. Default password management could be considered good, but of course it
Preventing execution of untrusted PHP
It is important to understand the implications of allowing a Drupal user to execute PHP.
Privacy management
Drupal's access control facility is used to grant permissions on content to users or roles. Sometimes these access restrictions are wrongly
Secure files using Encrypted Files (Version 1.x)
The Encrypted Files module allows Drupal 7 to encrypt files uploaded by users, and to decrypt these files for user download. Dynamic
Securing Authentication Credentials
Drupal websites often need API keys to access third party services. These keys need to be securely stored.
Securing file permissions and ownership
The server file system should be configured so that the web server (e.g. Apache) can't edit or write the files which it executes.
Securing the admin super user (#1)
Following best practice to secure the admin super user (#1) can help keep your website secure
Securing your site
This section provides security configuration advice for site administrators and includes both "things you should actively do"
Session management
Drupal user access and identification is based on sessions. These modules help you configure how long, how many, or/and on what pages the
Setting up digest authentication
Digest authentication avoids transmitting passwords by exchanging character strings (digests) that prove both the user and the Web server
Spam control modules
Spam—whether in a post, comment or through a contact form—has become a troublesome fact of life for any site administrator. Fortunately, a
Spam module
This is the documentation page for the Spam module. Docs are being collected as issue [#455066] to be placed here when a section is
Tarpit spam trap
The Tarpit module allows you to build a tarpit on particular url that you can define.
US NIST Password Guidelines review
A review of Drupal 8 password storage and usage in relation to NIST guidelines from June 2017
reCAPTCHA
The reCAPTCHA module uses the reCAPTCHA web service to improve the CAPTCHA system and protect email addresses. For more information on what
