The Paranoia module attempts to identify all the places that a user can evaluate PHP via Drupal's web interface and then block those. It reduces the potential impact of an attacker gaining elevated permission on a Drupal site.
The specific features are:
- Disable granting of the "use PHP for block visibility" permission.
- Disable creation of input formats that use the PHP filter.
- Disable editing the user #1 account.
- Prevent granting risky permissions.
- Disable disabling this module. Yes, that's right you need to go to the database to get rid of it again.
After installing, be sure to visit and save the permissions form to remove all previous grants.
To take full advantage of this module you need to identify any nodes, fields, blocks that use the PHP Filter, alter them to work some other way, and then delete the standard PHP filter at admin/config/content/formats.
Patches in other modules' queues
While paranoia can block some things it's also sometimes possible to improve security in other modules more directly. Please review the issue, apply the patch to test it locally, and consider deploying it to your sites:
- 2329259_views_remove_php_access.patch in combination with paranoia disabling the php module, makes it impossible to use php for importing a view or validating/defaulting an argument. Specifically the
- removes php inputting from cdn.module
Other security focused projects you may be interested in:
- Security Review module a free tool to find common mistakes in your site configuration