Secure configuration for site builders

Last updated on
10 January 2024

When Drupal is first installed, a lot of its configuration is geared towards ease of use for certain use cases: for example, a community-led website, that needs authenticated contributions of some sort, will need to permit site visitors to create their own (low-privilege) accounts. However, you might want to limit the number of accounts on your website, and therefore to turn that off.

Here are a few things you can do to "lock down" a new Drupal website.

  • Prevent site visitors from creating their own accounts. This will mean that only site administrators can create accounts.
  • Secure the user with UID=1. This first account on the site has special privileges, at the time of writing, but is rarely required. Most administrative tasks that this account can do, are possible using another account with the relevant permissions, or through Drush.
  • Check roles have no more permissions than they require. You can do this infrequently, not just when the site is first installed. Under People > Permissions, ensure that the "authenticated user" and "anonymous user" roles only have the permissions you would like them to have.
  • Keep the site up to date. To subscribe to security announcements through your preferred notification service (email, RSS, Twitter etc.) see the sidebar on the Security advisories page
  • Disable, or don't enable the Testing (simpletest) module.. If some users have permission to run tests, they could maliciously run them over and over. Also, make sure Composer-based dev tools are not installed, using composer install --no-dev.
  • Further security advice is available, especially if you have access to the server your site is running on. 

Help improve this page

Page status: No known problems

You can: