The Paranoia module attempts to identify all the places that a user can evaluate PHP via Drupal's web interface and then block those. It reduces the potential impact of an attacker gaining elevated permission on a Drupal site.

The specific features are:

  • Disable granting of the "use PHP for block visibility" permission.
  • Disable creation of input formats that use the PHP filter.
  • Disable editing the user #1 account.
  • Prevent granting risky permissions.
  • Disable disabling this module. Yes, that's right you need to go to the database to get rid of it again.

After installing, be sure to visit and save the permissions form to remove all previous grants.

To take full advantage of this module you need to identify any nodes, fields, blocks that use the PHP Filter, alter them to work some other way, and then delete the standard PHP filter at admin/config/content/formats.

Patches in other modules' queues

While paranoia can block some things it's also sometimes possible to improve security in other modules more directly. Please review the issue, apply the patch to test it locally, and consider deploying it to your sites:

Other security focused projects you may be interested in:

Supporting organizations: 
Development and maintenance of the 7.x branch

Project information