Drupal Security and Performance Tips

Drupal is supposed to be a very secure CMS and the Drupal security team is a highly efficient team of people scouting the Drupal camp to find and sort out security issues as soon as they crop up. But no amount of programming will fix security issues caused by incorrect configuration of a Drupal site. Here is a checklist of items that you have to confirm before and after deploy new Drupal site.


Security is first on this Drupal checklist because it’s so important. Of course you want to rest easy knowing that your site is secure when it launches. You also want your users to have peace of mind knowing that their information is safe.

Double checking your site’s security will ensure that there’s nothing you’ve missed that could make you vulnerable to hackers.

Check that admin (user 1) password are secure

The first account you create for your Drupal system is the UID 1, or superuser, account. This account has all privileges and cannot be denied any privilege. It is an extremely powerful, and dangerous account. Don’t forget to secure this account before you launch. If hackers got a hold of this account, the results would be devastating. Try to get in the habit of using your user account and only relying on the UID 1 account when you have to. Be sure to choose a good, strong password for the admin account.

Check that forms are protected by some anti-spam techniques

Spam is everywhere, in our emails, in websites, in social media, but how can you stop it appearing on your site? There are a few ways, some easy, some difficult and it depends on your situation, which method is best for you.

The problem is that if you forget to protect forms by some anti-spam techniques, especially user login and some other (Webform, Comments) form, you can wake up in 6 months with a huge spam that you need to take care of. Make sure that you implement some anti-spam techniques like Captcha, Google re-captcha or Honeypot.

If you don’t expect users to create accounts, disable this functionality.

One of the things I kept forgetting and paid the price later was to disable the right for anonymous users to create user accounts on the site. By default on a fresh Drupal install, anonymous users can create accounts and you as an admin need to approve them.

This piece of advice concerns those who create new websites that don’t need people creating accounts of course. If you require users to be able to create accounts themselves, make sure you implement some anti-spam techniques like Captcha, Honeypot.

Disable development modules and Error Reporting

There are various modules you’ll use locally while you develop or debug your Drupal site. The Devel module is something you’ll probably enable and the error reporting will most likely be turned on so you can see what’s going on.

This is all good and well but make sure that when you push your changes to the production site, these get turned off. Keeping the Devel module enabled on a live site is not indicated and can be a security risk. And although it constitutes security by obscurity, disabling the printing of errors to the screen is also important. Not to mention user friendly.

Filesystem security

Check that you have taken out the write permissions on settings.php and the files folder is owned by apache user and that you had not set 777 for files folder.

Make sure you follow good filesystem security practices. Don’t allow the web server to write to any files or directories that aren’t necessary. Make sure you restrict access to the settings.php file, which contains database credentials in plain text. Make sure attackers can’t create new files or manipulate files if they manage to gain access to a system account (such as through a brute force SSH attack).

As with databases, be sure to back up the filesystem files. Test your backup and restore procedure to ensure your backups will be useful if you ever run into a problem.

Remove .txt files from Core

Once your site are public, the vulnerabilities are as well. So if you haven’t deleted the CHANGELOG.TXT file from your Drupal root (which you can do), potential attackers can find out the version of Drupal you are running. And the risk of exploiting those vulnerabilities increases.

Get rid of CHANGELOG.txt etc (from git etc). Do NOT remove robots.txt!. Edit robots.txt to be standard (in case it has been edited during dev to restrict search crawlers).

Permissions control

Verify the permissions that have been given to anonymous and authenticated users and ensure that anonymous users do not have access to problematic input formats like PHP, Full HTML.

Be wary of any permission listed at http://drupal.org/security-advisory-policy (administer filters, administer users, administer permissions, administer content types, administer site configuration, and administer views). As previously stated, disabling PHP will obviate some of these but some permissions, such as ‘administer site configuration’ are used by non-obvious modules and can be leveraged to compromise a Drupal site quite easily. Guard those permissions jealousy. It’s worth considering creating a third group between “Authenticated user” and “Administrator” and limiting these permissions to just “Administrator” roles.

Update Drupal core and contrib modules regularly

It’s recommended that you update your site when there are updates issued by the core maintainers, especially when there are security updates. Yes, it can take some time to perform these updates, but it’s worth it.

Use the Drupal core ‘Update’ module. Enable it and have it send you e-mails when new versions of modules (or Drupal core) are available. Install updates when recommended as soon as possible. Many updates are issued to address security vulnerabilities, and once the update (and vulnerability) became public, your site could become a target

Additionally, if you leave it for later, you’ll end up having to do a big update across many version numbers which makes it much more difficult. It’ll take much more time to do and the risk of breaking some functionality will increase as well.

Live URLs and basic SEO optimization

When a site goes live, the URLs are transferred from a staging area to production. Every single URL on your site needs to be tested when the site goes live to make sure they lead to the correct destination. This is important from both a functionality standpoint and for SEO purposes; visitors will get frustrated, and your site will be penalized search engines if these URLs are incorrect.

You don’t need to be a SEO expert to help users better find your website. Start by enabling clean URLs. Simply check the “Enable clean URLs” checkbox under Configuration » Search and metadata » Clean URLs.

Along with Clean URLs, you’ll want to install the Pathauto module. This module automatically generates your page URLs based on the content titles. Simply enable this module and it should take care of the rest for you.

Don’t forget the favicon!

Nothing really ties in the whole website like the favicon icon used by browsers 🙂 It’s something that is easily overlooked but is a part of branding of the website. You can upload your favicon by going to your Drupal (sub)theme settings and uploading your icon under “Shortcut Icon Settings”.

Configure Google Analytics

Part of having a successful website includes knowing your audience. Where do your users live? What pages are your users spending the most time on? Google Analytics provides a bunch of useful information that you can use to better tailor your website towards your target audience. There are a few ways to add analytics to your Drupal site.

Disable or Delete unused modules and Views

Often during the development phase of creating a website you’ll end up installing several modules, some of which are specifically used for development and some of which just don’t end up getting used. Using a bunch of modules in your Drupal site can result in more memory being consumed, consequently slowing down your website performance. Same things apply for the views as well.


When you launch your site you want to know that it’s running at peak performance.

Cacheing is imperative that you check that your site’s cache is fully configured. Caching will optimize your site’s performance speed a great deal.

Views modules should be checked to see if they’ve done any pages or blocks. They have their cache switched off by default. Check that they are configured.

Minimize CSS and Javascript files & Reduce your HTTP requests.

With so many people accessing web content via their phones these days, it’s a good idea to keep your file sizes to a minimum. In Drupal, there’s a pretty easy way to do this. Navigate to Administration » Configuration » Development and at the bottom of the page you’ll see two options: Aggregate and compress CSS files, and Aggregate JavaScript files.

Check both of these boxes. Both of these options will help reduce your page load time and HTTP requests. Alternatively, you can use CSS Minifier to minimize your CSS and http://jscompress.com/ to compress your JS without aggregating. If you use either of the online options be sure to keep an uncompressed copy of your files for easy editing in the future.

Test, test and test some more.

This really goes for any type of website, Drupal or otherwise. With people using such a large array of different devices — small, large, old, new — it’s a good idea to test your website on as many devices as possible. If you built your website on a local server, you may also want to check and make sure all of your webforms are functioning properly once you upload your website to a live server.

Is Your Drupal Checklist Complete?

Then it’s time to go live! If you’ve followed each step, you can be confident that your site is ready to be seen by the world.

Are you working on creating a Drupal website?

HostForLIFEASP.NET is Highly Recommended for Drupal 10.0.3 Hosting in Europe

HostForLIFEASP.NET is highly recommended for people who are looking for a multi-purpose, reliable, fast and trusted shared web host at an affordable rate. In case that you are planning to have your web presence or move out from your current horrible web host, HostForLIFEASP.NET is one of the best choices you won’t go wrong.