Checking and improving your Drupal website’s security
You know that website security is of vital importance.
We have already told you about our website security audit service as well as 5 most critical security risks on Drupal 8. And now it’s time for a detailed technical blog post about Drupal website security written by our Drudesk Drupal help team.
When working with a website, developers often need to obtain certain information about the website’s condition. For this purpose, there are a number of useful Drupal modules.
Top Drupal Security Modules
The Hacked! module
The Hacked module! (https://www.drupal.org/project/hacked) will reveal if there are any changes in the code of the Drupal core and the contributed modules and themes installed on the website. Getting this information is very useful, for example, before the core, module or theme updates, as all the so-called hatched code during the update will be replaced with the contributed code, which in turn may cause the website’s functionality to work incorrectly.
Install the Hacked! module, go to the page with the reports and select the "Hacked" menu item. Let’s wait for the batch to complete.
The nice green color lets you know that the Drupal core, the installed contributed modules and theme match the contributed code.
Now, make changes to the code of one of the contributed modules. Run the test again manually (the "Check manually" link at the top of the page). Wait for the batch to complete, and check the results.
The red color shows that the code of the installed module does not match the contributed one. We also see the information on the number of the module’s changed and deleted files. Select "View details of change" to get more information. You will see a list of the module’s files with the changed and deleted files.
However, the Hacked! module reveals only the fact that there is custom code rather than the code itself. What to do, for example, if you found a hatched contributed module, but you still need to update this module? The best way to do this would be to make the functionality, implemented through hatched code, into a separate module, and then update the contributed module. To do this, find the hatched code. The Hacked! module alone can not cope with this task. You could, of course, download the same version of the same module from drupal.org and compare it with the installed module via git. But then again, what if your website has not one hatched module but five or ten? In this case, the Diff module comes to the rescue (https://www.drupal.org/project/diff).
The "Diff" module
Install the Diff module and see if there are any additional features. Go to the list of the hatched module’s files and see that there is a link available for the file with the custom code. Follow this link.
You will see a page with the lines of contributed code, as well as the code it has been replaced with.
The Devel module
There is another useful module for testing and development — the Devel module (https://www.drupal.org/project/devel). The module provides a number of different opportunities for developing, debugging and optimizing your website. It consists of two additional modules: the Devel generate and the Devel Node Access. The Devel module enables you to generate test content and comments, users, menus, taxonomy vocabularies and terms. The Devel Node Access module displays detailed information on the access rights to the nodes. We will not dwell too much on the description of Devel module features. You can find more information about it here.
The Masquerade module
From time to time, you need to test your website as different users. This can be done with the help of the Devel module. However, you can also do this without creating new users and instead using the already existing ones. One of the ways to log in as any user via Drush. However, if you need to test your website this way often, it is more convenient to use the Masquerade module (https://www.drupal.org/project/masquerade). This module provides the users with the relevant rights to log in as any other user via the website’s interface without a password.
To do this, you need to install the Masquerade module, go to the block list and find the block of the same name. Move it to the desired region. It’s done — you can now use it.
The Schema module
The Schema module (https://www.drupal.org/project/schema) provides comprehensive information on the website’s database structure.
The module lets you compare the structure of the database tables with the structure of the same tables specified in the code through the hook_schema. You can do it on the module settings page by clicking the "COMPARE" tab. In particular, you can see a list of tables for which the information in hook_schema matches the current website’s database structure.
You can now select any of the enabled modules, which creates tables in the database during the installation process — for example, the Views module — and disable it. Refresh the Schema module settings page and see what has changed.
The "EXTRA" subsection now has 4 tables of the Views module. These are contained in the database but never used, because the module itself was disabled, but not deleted.
Let's see what happens if you make changes to the website’s database structure manually. Go to phpMyAdmin, then to your website’s databases, choose any table in it, such as the "batch" table, and change the "batch" field type from LONGBLOB to BLOB. Save the changes and then update the module settings page.
In the "MISMATCH" section, there appeared the "batch" table with the information about what exactly makes its structure different from the one specified in hook_schema.
Go to the next tab called "DESCRIBE". Here you can see a list of tables with the information about the Drupal table structure and what module this table applies to.
On the "INSPECT" tab, you can see the information about the website’s live database. The "SQL" tab shows the SQL query for creating tables declared to be modules. The "SHOW" tab displays the tables structure as an array.
The Security Kit module
The Security Kit module (https://www.drupal.org/project/seckit) helps you reduce the threat from a variety of web application vulnerabilities. In particular, it allows you to:
- configure your website protection against cross-site scripting attacks. You can specify the content sources considered reliable, and restrict their capabilities
- configure the X-XSS protection
- reduce the risks from vulnerabilities such as: Cross-site Request Forgery and Clickjacking
- increase SSL/TLS security, and the like
The modules included in Drupal core
The Syslog module lets you configure the display of the website’s logs and errors.
The Database logging module allows you to view a list of the website’s logs, filter them by type and level.
You can check the available contributed updates by installing the Update manager module.
There are specific rules that must always be followed when developing the website’s functionality. Otherwise problems with its functionality can arise at any time. To avoid them, it is a good idea to check the website with one the above described methods.
Hopefully, this helps you keep you maintain your Drupal website security on the highest level.