Securing Drupal

Information Security Guideline

Introduction

  1. Drupal is a popular open source content management system and is frequently targeted for attacks; this hardening guide is meant to further enhance the level of security for Drupal by reducing the exposed attack surface by providing configuration guidance.
  2. This guideline has been issued by the Chief Information Officer to supplement the Vulnerability Management standard. Compliance with this guideline is recommended, but not mandatory. Questions about this guideline may be referred to information.security@ubc.ca.

Best Practices for Protecting the Application Platform

  1. Once installed, ensure that Drupal’s “Update” module is installed and notification for security updates is enabled. Subscribe to Drupal’s Security Advisory email list, or Twitter account.
  2. Input filters & WSIWYG
    1. configure input filters for different user-levels;
    2. turn on WSIWYG Filter and configure to allow specific tags/classes/etc. only; and
    3. disallow “Full HTML” (potential for privilege-escalation attacks).
  3. Logging & errors
    1. log (but don’t show) errors; and
    2. set login logging (“Login Security” module, even in D7, to log incorrect logins and set better flood protection).
  4. If you have comments enabled, consider installing comment moderation software like Mollom and a captcha solution like ReCaptcha.
  5. Only enable modules you intend to use, leave unused modules deactivated—or uninstall and remove from your server.
    1. for each module, look at its issue queue on Drupal.org: consider the number of active installs versus the number of open and closed issues;
    2. make sure the module page says “Actively maintained”; and
    3. never enable FTP module updating; always update modules through the command line (FTP updating requires giving the webserver write access to PHP files, which is a dangerously insecure site configuration).
  6. To enhance overall security it is also important to harden the operating system that will be hosting the Drupal installation:
    1. look at file permissions, make sure that the webserver can never write into a directory with executable PHP; and
    2. ensure .htaccess files exist in all Drupal files directories (sites/*/files)
  7. Permissions & Roles:
    1. create roles to add privileges to users, either by group (e.g., a “faculty” role) or function (a “webform results” role) – permissions granted by roles are additive, so a mix of both is most useful;
    2. set permissions to add/delete/update content as granularly as possible; and
    3. audit roles and permissions annually
  8. If you have control over the server, and it is solely for a Drupal site, consider custom rewrites in the Apache configuration (at the <VirtualHost> or <Directory> level).

Recommended Sites

  1. The following sites provide additional information on securing/hardening Drupal:

    Topic AreaSite
    Securing your sitehttps://www.drupal.org/security/secure-configuration
    Drupal Security Best Practiceshttps://archive.openconcept.ca/drupal-security-best-practices-practical-guide.html
    Hardening Drupal 7 Websiteshttps://bput4all.wordpress.com/2012/02/01/hardening-drupal-websites/
    Securing Drupal 7http://www.madirish.net/242
    Security Grouphttps://groups.drupal.org/security
    Security Advisorieshttps://www.drupal.org/security

Related Documents and Resources

  1. Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems
  2. Vulnerability Management standard
  3. UBC Systems and Application Hardening Guides

Guideline Last Revised: 2021-02

Page last updated on November 10, 2025

Office of the CIO

6356 Agricultural Road
Vancouver, BC Canada
V6T 1Z2
604 822 3634
E-mail ubc.cio@ubc.ca

Related Sites

Need Help?

Urgent Message An exclamation mark in a speech bubble. Bluesky The logo for the Bluesky social media service. Bookmark A bookmark in a book. Browser A web browser window. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Time A clock. Chats Two speech clouds. E-commerce Cart A shopping cart. Facebook The logo for the Facebook social media service. Help A question mark in a circle. Home A house in silhouette. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Locked A locked padlock. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Pencil A pencil indicating that this is editable. Telephone An antique telephone. Play A media play button. Plus A plus symbol indicating more or the ability to add. Print A printer pushing out a piece of paper. Search A magnifying glass. Settings A single gear. Arrow indicating share action A directional arrow. Speech Bubble A speech bubble. Star An outline of a star. Twitter / X The logo for the X (aka, Twitter) social media service. User A silhouette of a person. Vimeo The logo for the Vimeo video sharing service. Youtube The logo for the YouTube video sharing service.