Hardening Drupal Websites
Drupal Website Hardening Considerations
Drupal's default configuration seems intended more for websites designed to enable visitors to create Drupal accounts and use a Drupal website as an authenticated (logged in) user. However, sometimes a Drupal website needs to be configured to limit external access, for sites not intended for visitor login, and, for example, to increase security. There are multiple threat vectors that can be hardened with some basic and quite accessible and easy to use, Drupal development community contributed, configuration modules.
Password Strength Management
Where general site visitors are intended to have access to a Drupal website, one of the ways to harden it is to require strong passwords. By default, Drupal 8 requires reasonably strong passwords. However, the Drupal Password Policy Module provides enhanced tools to enforce strong passwords. The Drupal Password Policy Module also includes options to require that users change their passwords periodically. This feature is called password expiration. Recent studies of password security have concluded that increased password length is more important to password security than is password complexity. The Drupal Password Policy Module includes features to specify requirements for both aspects of passwords. The Password Policy Module can be combined with the Password Strength Module (a module plugin for the Password Policy Module), to further enhance password security. The Password Strength Module implements password entropy and pattern matching analysis to determine password strength and flag weaker passwords.
Login Attempt Flood Control and Login Spam Control
Support for login attempt flood control in Drupal 8 is available from a module called Login Security. The Login Security Module includes features for locking out visitors after defined numbers of failed logins. The module includes multiple types of thresholds and responses, including both a soft lockout that resets after a specified time period, and permanent IP address or user-name lockouts. The module's documentation explains the pro and cons of each of its features. For example, the user based lockout feature needs to be used care to prevent a hacker from creating a permanent lockout on a vital drupal user account, however this feature can be configure to whitelist accounts with the administrator role.
Two additional tools for managing login attempt hacking are the HoneyPot Module and the Captcha Module, and its sub-module, the Riddler Module. The HoneyPot Module attempts to detect automated attempts to use the login form by adding a hidden field that human users don't see. If the software robot inserts content into the hidden "honeypot" field, their login attempt is blocked before having an opportunity to submit the form. The Captcha Module's approach is to provide an additional form field that require human intervention, such as an arithmetic calculation to perform. the Riddler Module is an excellent enhancement to the Captcha Module with which an administrator create custom obscure questions that would be difficult for a bot to answer, such as "What state is north of Oregon", "What is the opposite of hot", "What is the formula for water", and so on, which a human can answer easily, but which a bot would have difficulty predicting.
Account Creation Control and Password Reset Control
Some websites may want not want to enable visitors to create accounts. The Drupal administration system enables a site administration to disable visitor account creation entirely, (see /admin/config/people/accounts). Unlike the foregoing feature, the drupal administration user-interface does not include a direct interface to disable the password reset form that appears by default at drupal user login page. However, a very powerful module is available that makes it easy to disable the external password reset feature. There exists a Drupal Custom Permissions Module, with which it is possible to create a custom permission to control per role access to this feature. All that is needed is to create a custom permission for the Drupal route user.pass, so that anonymous user don't have access to it, and it will no longer be available at the user login page.
Additional Hardening
Although security by obscurity is not truly security, certain types of obscurity can help reduce some types of hacker attack vectors. There are two additional Drupal modules that provide features for this purpose. The first module is called the Rename Admin Paths Module. With this module it is possible to move the /user/login and /user/registration pages to different/custom paths. This change makes it more difficult for crawler bots to find these login and site access related forms, and thereby reduces the potential for crawlers to flood those forms with DDoS attacks. Additionally, the Login Disable Module, which isn't quite aptly named, enables a site administrator to define an additional keyword that must be appended to the login path before the login form become accessible. For example the user login path would require a URL path ending with user/login?secretword instead of the login URL path alone.
Summary
By deploying a combination of, or all of, the Drupal modules described in this article, it is possible to better harden a Drupal website that isn't intended to provide visitors with user logins and authenticated access. These modules can also help prevent various type of website attacks from hackers and malicious crawler bots.
