Drupal Security Best Practices | Drupal 8

Drupal Security Best Practices

Submitted by nuwantha on Wed, 06/01/2022 - 16:44

Security tips for drupal

1. Update drupal core and contrib odules to the last version
Example with composer if you use core-recommended:
composer update  drupal/core-recommended:9.3.14 -W

2. Perform Regular Backups of the files and database.
You can use Backup and Migrate module

3. Avoid simple username and passwords
Avoid admin, root, drupal, 1234 ...

4. Block access to important files and unwanted text files using .htaccess file..
RedirectMatch 403 "/core/(.*).php"
RedirectMatch 403 "/core/(.*).txt"
RedirectMatch 403 "INSTALL.txt"

<FilesMatch "(authorize|cron|install|upgrade)\.php">
    Order deny, allow
    deny from all
    Allow from

5. Block bad bots using .htacces file.
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(agent1|Wget|Catall Spider).*$ [NC]
RewriteRule .* - [F,L]

6. Enable trusted host from settings.php file.
$settings['trusted_host_patterns'] = ['^www\.example\.com$',];

7. Always use secure connections

8. Check file permissions


Add new comment

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.