In the world where cyber attacks become more elaborate, you want to protect your website.
We see that website security is a major priority for many businesses and organizations. They often ask our development & support team to build a secure website or perform a website security audit on an existing one.
Our today’s topic will be building a secure website with the Guardr — a free website starter kit based on the Drupal CMS and equipped with enhanced website security measures.
It can be a good fit if you want to build a secure website for a government, financial institution, corporation, or any other organization with a focus on safety.
First, why choose the Drupal CMS if you need a secure website?
Before we move on to Guard, let’s begin with why you should choose Drupal in the first place to build a secure website. Drupal is an enterprise-level CMS whose security is rated high. There are few reasons that explain this fact:
- It has dedicated teams always on guard of website safety — the Drupal Security Team and Security Working Group. They resolve security issues, write documentation guides, help developers write secure code, and take care of the security of the Drupal core (main package) and contributed (add-on) modules.
- Drupal has a security advisory policy. According to it, whenever security updates are released and need to be applied on a site, the security team issues a public advisory for everyone to know this.
- The CMS has strong coding standards and strict processes of code review by the open-source community in order to keep sites secure.
- Out-of-the box, Drupal user account passwords are encrypted before being stored in the database. Drupal also supports various password protection policies and authentication practices.
- Site administrators can control who can create, edit, delete which content, manage settings, and do other actions. This is achieved by granular permissions for specific user roles.
- To protect your website even better, Drupal uses database encryption on various levels — either for the whole database or for specific site components.
- There are plenty of add-on modules that are used to check and improve Drupal website security in various ways. Among them are the Security Kit, Paranoia, Security Review, Secure Login, Hacked!, CAPTCHA, Two-factor Authentication (TFA), and many more.
- The list of things that helps Drupal developers build secure sites could go on. There is one very special item on it — the Guard distribution that we are now moving on to.
Drupal’s Guardr: the secure package within the secure CMS
Guardr is a Drupal distribution to build secure websites with. What does a “distribution” mean? Distributions are website starter packages with specific modules and settings tailored to some industries, types of sites, priorities, etc. This allows us to build websites considerably faster.
When it comes to Guardr, its special focus is very clear — it is oriented for enterprises with an increased need for a secure website. The creators of Guardr have worked with security departments of some national banks and corporations in the US, so they know what is necessary for enterprise website security. They also studied the CSSLP and CISSP certifications focussed on security in software development.
Guard: following the CIA (information security triad)
The Guard kit is built according to the principles of the CIA Triad — a model that guides the information security policies of an organization. The triad consists of these three indispensable components:
Some important website security features of Guardr
Here is what helps Drupal Guardr implement website security best practices.
Gurdr includes these handpicked modules to protect your website. Here is what they provide:
Secure user passwords
Weak passwords are a common security problem with websites. With Guardr, users will only choose secure passwords that are not dictionary words thanks to the Password Policy module.
Protection from password stealth
Guardr forbids user’s browsers to save passwords, which protects you from password stealth. This is achieved thanks to the Clear saved password field module.
Protection from attacks through PHP
There is never too much precaution. Even your site admins will be forbidden to evaluate PHP, which can block potential attacks through PHP code. The Paranoia module will take care of this.
More detailed logs to know what happens
You will be always aware of all steps made on your website. Guardr gives you more detailed logging of all events than by default in Drupal (1,000,000 vs 1,000 logs) due to the Role Watchdog module.
DoS attack prevention
DoS attacks can make your site unavailable to users. The Diskfree module inside Guard gives you a warning when your disk is going to fill up, which is one of the ways to prevent a DoS attack.
List of users protected
Cybercriminals often use valid user names for their attacks. The list of users on your Guard site will not be exposed on the web thanks to the Username Enumeration Prevention module.
Fatal errors hidden
Fatal errors happen, but not everyone should see them on your site. It’s a good practice to hide them, in which the Hide PHP Fatal Error module is very helpful.
Drupal version hidden
It can be a security risk to have your Drupal version visible and public. The Remove Generator META tag module in Guard can help you with this by making the Generator META tag removed.
There are also a few important security settings in worth mentioning:
- To increase safety, users are not allowed to create their own accounts — only admins can do it for them until they switch the site to public sign-up.
- Guardr also protects you from email interception. If someone intercepts your email, they will have no profit out of this — the default email notifications have references to user names and IDs removed.
- Intruders also don’t have to know about your website’s updates. Errors and warnings about available Drupal updates will not be displayed as usual in the site admin by default. Seeing them will require an opt-in.
- SSL makes web interaction safe. Guardr has extra documentation added to settings.php telling you how to connect to MySQL via SSL.
How to build a secure website with Drupal Guardr
With the use of a distribution, the steps to build a secure website are minimized. Here is what is needed:
- The Guardr distribution needs to be downloaded and installed and it will already create a standard website.
- Since every organization is unique, you may need to build additional features and make specific configuration according to your business requirements. All this can be done by a Drupal development team.
- You will also need website theming and design services so the site reflects your brand’s identity.
- Finally, you need to purchase a domain name and have your site hosted with a good hosting provider.
Let us help you build a secure website
With all the above steps of how to build a secure website with Guardr, the Drudesk team is ready to help you. We specialize in Drupal development, support, design, and also offer hosting services. Which is more, our prices are very competitive and the performance of our specialists is high. Let’s begin discussing this!