Contributed modules for Securing your Drupal Site

Among the thousands of modules on drupal.org there are over 100 in the security category. Unfortunately some of those are abandoned or inaccurately tagged. We've looked at every module and compiled this resource to help you understand the security-related community modules available. Not all modules provide security exactly, some are about hardening your site against weaknesses and others are about monitoring and reporting abuses.

This list will stay up-to-date as new modules are added and we will be expanding it for usefulness and to include our assessment of each module's capabilities.

When you add a module to your site you increase the attack surface and that while these are intended to increase the security of your site they may introduce weaknesses.

Login and session

• Persistent Login
  • How long, how many, and on what pages login is remembered
• Single Login
  • Detect and prevent duplicate logins

Password

• Login Security
  • Limit unsuccessful logins, ban by IP, notifications (i.e. prevent brute force password cracking attacks)
• Password change confirm
  • Require existing password before changing password
• Password Require
  • Require a password for submitting any form
• Password Strength
  • Check and enforce password strength
• Password Expire
  • Passwords expire after a set time
• Password Policy
  • Enforce password strength
• Salt
  • Prepend a "salt" to passwords prior to storage (Not needed in Drupal 7)
• Secure Password Hashes (phpass)
  • Store password hashes using phpass instead of MD5 (Not needed in Drupal 7)

Logging

• User Role History
  • Logs when roles changed and why - helpful for auditing.

Authentication

• PassWindow
  • Two-step authentication via visual decoding with physical card
• OpenID
  • Authentication via OpenID service (in core Drupal 6 and 7)
• Swekey
  • Two-step authentication using USB key
• Windows Live ID
  • Authentication via Windows Live
• YubiKey
  • Two-step authentication using USB key

Analysis

• BadBehavior
  • Monitor traffic and block spampots or malicious requests
• ClamAV integration
  • ClamAV analysis of uploaded files
• GoAway
  • Light-weight ban by IP
• HTTP Black List (http:BL)
  • Implement the http:BL in Drupal, blocking requests from blacklisted IPs
• HTTP Reject
  • Drupal-based request monitoring and rejection
• MD5 Check
  • Create MD5 checksum of all Drupal files and monitor for alterations
• PHP Intrusion Detection System (PHPIDS)
  • Implement the PHP Intrusion Detection System for monitoring and alerting for malicious visitors
• Remote File Inclusion Report
  • Record attempts to have remote files included in Drupal
• Security Review
  • Check for misconfiguration that leads to an insecure site
• Security scanner component for SimpleTest
  • Penetration test your site
• Tiny IDS
  • a 100% Drupal native Intrusion Detection System
• Troll
  • Track and ban IPs

Secure communications

• Client Side Encryption (cse)
  • Encrypt data transfer between browser and server
• Encrypt Submissions
  • Javascript encryption of form submissions
• OpenPGP
  • Encrypt outgoing emails
• Secure by role
  • Force certain pages over SSL
• Secure Pages
  • Force certain pages over SSL
  • Secure Pages Prevent Hijack - Prevent hijacked sessions from accessing secure pages.

Anti-spam and protection

• Prevent spam submissions
  • BOTCHA
  • CAPTCHA
  • reCAPTCHA
  • CAPTCHA Pack
  • Egglue CAPTCHA
  • Captcha Riddler
  • Mollom
  • Akismet
  • Spam
  • Block anonymous links
  • BlogSpam
  • VidoopCAPTCHA
  • Spamicide
• Email2Image
  • Obfuscate emails by displaying them as images
• Secure Permissions
  • Control access to the permissions setting page
• Spamspan Filter
  • Obfuscate emails
• GTSpam
  • Obfuscate emails
• Paranoia
  • Disable some of Drupal's features not necessary for all sites, like the PHP input filter.
• Paranoid Form Validator
  • Reject form submissions containing potentially-dangerous input