12 Must Have Security Modules For Your Drupal Website

  • Articles
  • December 20 2017
  • 6 min read

Is Drupal Secure?

An often repeated question, concerning the credibility of open-source technologies.

Organizations like the NASA, CERN, the European Union, and the United Nations use Drupal primarily for its security and scalability. Drupal's security group (SecWG) which is always working to discover potential security vulnerabilities, is the primary reason why it’s famous for its security.

But when building a website ensuring the great digital experience is as much important as the security of your website. Read about the six healthy Drupal practices to ensure nothing influences your reputation in the online market, except your good work.

The community is quick to update whenever there are a security concern and release patches to settle the issue.

Despite the fact that Drupal core is secure, it is highly impossible that the customization made by the third-party integrated modules/ features/ themes will not open it to vulnerabilities.

And here is a list of 12 must-have Drupal 8 security modules for your website which will help prevent you from becoming the next victim of a potential cyber-attack.

12 Must-Have Drupal 8 Security Modules


A CAPTCHA is a reaction test put in the web structures to eliminate entry by robots. It helps in protecting your website’s contact and sign up forms.

an example of text captcha

The idea is to recognize entries as well as block entries by spambots. According to, you can also avail additional Captcha modules such as:

Module Available for version 8.x-1.x Beta1 (As updated on 20th Nov 2017)

Login Security

This module enhances the security alternatives in the login operation to your Drupal site. According to “Login Security presents fundamental access control while denying IP access to the content of the site”.

With Login Security module, a site manager can ensure and limit access by adding access control highlights to the login frames. Enabling this module, a site administrator may restrict the number of invalid logins before blocking accounts, or, by denying access by IP address, temporarily or forever. 

This module also helps by sending strings of notification by email and Nagios may assist the site admin to know when something is occurring with the login type of their site. 

For alternative controls, login security can impair Drupal core's login error messages, and complicate the reason for the login failure. This could make it harder for an attacker to discover whether the account even exists. On login, a user can alternatively check their last login.

Module Available for version 8.x-1.3 Alpha4 (As updated on 20th Nov 2017)

Password Policy 

This security module imposes character limitations and guidelines for setting account passwords. As a site manager, you can decide and standardize the passwords for login. For example when you set that one must have one capitalized letter, a number, and an extraordinary image no user can make a password without adhering to the said guidelines. 

graphic for securing password; a lock and the password

By complicating the password you save the information from dictionary attacks and other brute force techniques. 

Password policy can be defined as a set of parameters or constraints which must be met before a user password is set or changed. 

According to, following are the constraint types required in password policy:

  • Digit
  • Letter
  • Letter/Digit (Alphanumeric)
  • Length
  • Uppercase/Lowercase 
  • Punctuation
  • Username
  • Digit placement

Module Available for version 8.x-3.x (As updated on 20th Nov 2017)

Security kit

SecKit is one of the additional security modules available for your website. It provides with various options to improve the security of web applications. Currently, modern browsers support a lot of techniques to mitigate common web vulnerabilities like Cross-Site Scripting, Cross-Site Request Forgery, Secure Sockets Layer/Transport Layer Security, and Clickjacking which can’t be prevented by browsers.

Additionally, the module has options to fix HTML injection issue.

Thus, SecKit provides websites with an easy and flexible way to implement them.

Module Available for version 8.x-1.0-alpha2 (As updated on 20th Nov 2017)

Automated Logout

Considered as an important security module, it lets you set the session timeout for any user. It gives the site admin the ability to log users out after a specified time of inactivity to secure your data. 

Also, it is highly customizable and allows the admin to set and disable session timeout period for different user roles. It includes JS mechanism to keep users logged in even if the user has been working on a form for a longer period of time. 

Module Available for version 8.x-1.0 (As updated on 20th Nov 2017)

Session Limit

Session Limit enables admins to restrict a number of concurrent sessions per user. This module will drive the user to logout of any additional sessions after they pass the admin defined number of sessions. A session is set for every browser from which a user can sign in.

Take for example that the admin has set the limit for 1 session per user into her Drupal website, the said user can only sign in from 1 browser at a time. If the user tries to sign in from a second browser either she will be asked to log off from the previously logged in device or prematurely end their new login session. 

Likewise, you can set the maximum number of simultaneous sessions. It gives you a chance to permit just a single session per client. This way you can also secure the client’s account. 

Module Available for version 8.x-1.x Beta1 (As updated on 20th Nov 2017)

Two-factor authorization

Adding an extra layer of security to your website, two-factor authorization lets you add a second factor of authentication, such as an OTP sent on mobile. 

graphic image for two factor authorization; an image of a computer and mobile phone; drupal security modules

TFA is the base module and provides an adaptable and an all round interface to empower your website on double-layer verification arrangements like Time-based OTP, SMS codes, pre-generated codes, or with a combination of third-party services like Authy, Duo, Google authenticator and others.
Module Available for version 8.x-1.x Alpha 1 (As updated on 20th Nov 2017)


This module helps you identify all the vulnerable issues/ places from where a potential leak is possible. It alerts the admin when an attacker tries to evaluate the PHP script via the website interface. 
It helps in blocking the permission for the user to grant PHP visibility and creation of input formats that use PHP filter.
It also prevents the website to grant risky permission, mostly the ones that involve leaking the script information. 

Module Available for version 8.x-1.x Alpha 1 (As updated on 20th Nov 2017)


This is a SPAM detection module that uses form fields to discover spammers from posting onto your Drupal site. 

The best alternative to captcha is Honeypot module. When configured aptly, it lures the spambots into filling forms that are otherwise invisible to other (humans) users. 

This makes it easy for the module to identify and block such bots. It blocks the spambots from submitting any form in your website

Module Available for version 8.x-1.27x (As updated on 20th Nov 2017)

Secure Login

It ensures that the entered login or submitted information is done securely via HTTPS thus preventing passwords and user information theft. This module is available for both HTTP and HTTPS. 

The module also uses authenticated session cookies to prevent session hijacking. 
It not only secures the user/login page but any page which contains user login information or any form that the admin considers to be important. 

Module Available for version 8.x-1.6x (As updated on 20th Nov 2017)

Secure Password Hashes (Module Page)

Passwords are stored in the form of an MD5 hash in Drupal and many other content management systems. Hackers tend to view the contents of your user table when they gain access to your database by exploiting or mysql injection. 

MD5 is a one-way encryption where passwords are encrypted to prevent them from storming into data-loaded user accounts. Here is a use case of MD5, supposedly your password is “iscream”, with one-way encryption it will look something like this- p1f4f9a525af4540 kjup. This hash formation has never been decryptable. 

Password Hashes uses much more secure encryption methods, besides using stronger encryption methods, it has the ability to randomly "salt" passwords during encryption to create a more unique value and making the hash much harder to figure out.

XFS (cross-frame scripting)

In order to prevent cross-site request forgery attack in applications, It handles origin HTTP request header. This is very important security module for Drupal. It adds security to various security threats. It also takes control over Internet Explorer, Safari or Google Chrome’s internal XSS filter via X-XSS-Protection HTTP response header. It also prevents content sniffing. It also adds X-Frame-Options HTTP response header to prevent clickjacking in the application. It also helps in implementing HTTPS to prevent eavesdropping and man-in-the-middle attacks. It also helps in implementing Content Security Policy.


These are some of the few security modules to secure and ensure your Drupal 8 website. It is vital to constantly check for possible security threats. Let us help you secure your website, talk to us at [email protected]. Now, you don’t have to worry about the security issues anymore.