The Paranoia module attempts to identify all the places that a user can evaluate PHP via Drupal's web interface and then block those. It reduces the potential impact of an attacker gaining elevated permission on a Drupal site.

The specific features are:

  • Disable granting of the "use PHP for block visibility" permission.
  • Disable creation of input formats that use the PHP filter.
  • Disable editing the user #1 account.
  • Prevent granting risky permissions.
  • Disable disabling this module. Yes, that's right you need to go to the database to get rid of it again.

After installing, be sure to visit and save the permissions form to remove all previous grants.

To take full advantage of this module you need to identify any nodes, fields, blocks that use the PHP Filter, alter them to work some other way, and then delete the standard PHP filter at admin/config/content/formats.

Other security focused projects you may be interested in:

Project Information