Secure configuration for site builders
Last updated on
10 January 2024
When Drupal is first installed, a lot of its configuration is geared towards ease of use for certain use cases: for example, a community-led website, that needs authenticated contributions of some sort, will need to permit site visitors to create their own (low-privilege) accounts. However, you might want to limit the number of accounts on your website, and therefore to turn that off.
Here are a few things you can do to "lock down" a new Drupal website.
- Prevent site visitors from creating their own accounts. This will mean that only site administrators can create accounts.
- Secure the user with UID=1. This first account on the site has special privileges, at the time of writing, but is rarely required. Most administrative tasks that this account can do, are possible using another account with the relevant permissions, or through
Drush
. - Check roles have no more permissions than they require. You can do this infrequently, not just when the site is first installed. Under People > Permissions, ensure that the "authenticated user" and "anonymous user" roles only have the permissions you would like them to have.
- Keep the site up to date. To subscribe to security announcements through your preferred notification service (email, RSS, Twitter etc.) see the sidebar on the Security advisories page.
- Disable, or don't enable the Testing (simpletest) module.. If some users have permission to run tests, they could maliciously run them over and over. Also, make sure Composer-based dev tools are not installed, using
composer install --no-dev
. - Further security advice is available, especially if you have access to the server your site is running on.
Help improve this page
Page status: No known problems
You can:
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion