The Paranoia module attempts to identify all the places that a user can evaluate PHP via Drupal's web interface and then block those. It reduces the potential impact of an attacker gaining elevated permission on a Drupal site.
The specific features are:
- Disable granting of the "use PHP for block visibility" permission.
- Disable creation of input formats that use the PHP filter.
- Disable editing the user #1 account.
- Prevent granting risky permissions.
- Disable disabling this module. Yes, that's right you need to go to the database to get rid of it again.
After installing, be sure to visit and save the permissions form to remove all previous grants.
To take full advantage of this module you need to identify any nodes, fields, blocks that use the PHP Filter, alter them to work some other way, and then delete the standard PHP filter at admin/config/content/formats.
Patches in other modules' queues
While paranoia can block some things it's also sometimes possible to improve security in other modules more directly. Please review the issue, apply the patch to test it locally, and consider deploying it to your sites:
- 2329259_views_remove_php_access.patch in combination with paranoia disabling the php module, makes it impossible to use php for importing a view or validating/defaulting an argument. Specifically the
Other security focused projects you may be interested in:
- Security Review module a free tool to find common mistakes in your site configuration
- Maintenance status: Actively maintained
- Development status: Under active development
- Module categories: Security
- Reported installs: 6,370 sites currently report using this module. View usage statistics.
- Downloads: 69,059
- Automated tests: Enabled
- Last modified: October 10, 2016
- Stable releases are covered by the security advisory policy.
Look for the shield icon below.