656 Modules match your search

Extend and customize Drupal functionality with contributed modules. If a module doesn't quite do what you want it to do, if you find a bug or have a suggestion, then join forces and help the module maintainer. Or, share your own by starting a new module.

CAPTCHA

Image CAPTCHA example

A CAPTCHA is a challenge-response test most often placed within web forms to determine whether the user is human. The purpose of CAPTCHA is to block form submissions by spambots, which are automated scripts that post spam content everywhere they can. The CAPTCHA module provides this feature to virtually any user facing web form on a Drupal site.

Co-maintainer wanted

We do this our spare time, which is unfortunately almost nonexistent at the moment due to real life obligations. To give the CAPTCHA module the required level of maintenance, an extra co-maintainer would be welcome. If you're interested in helping with this very popular module, please contact me or open an issue in the CAPTCHA module issue tracker.

reCAPTCHA

reCAPTCHA 2.x widget (with JavaScript)

Uses the reCAPTCHA web service to improve the CAPTCHA system. Tough on bots. Easy on humans.

OAuth 1.0

This module implements the OAuth 1.0 standard for use with Drupal and acts as a support module for other modules that wish to use OAuth.

For OAuth 2.0, install the Oauth 2.0 module instead of this one.

Password Policy

This module provides a way to enforce restrictions on user passwords by defining password policies.

Overview

A password policy can be defined with a set of constraints which must be met before a user password change will be accepted. Each constraint has a parameter allowing for the minimum number of valid conditions which must be met before the constraint is satisfied.

Security Kit

Screenshot

SecKit provides Drupal with various security-hardening options. This lets your mitigate the risks of exploitation of different web application vulnerabilities.

SecKit facilitates certain mitigations for Cross-site Scripting, Cross-site Request Forgery, and Clickjacking, among other issues.

ACL

The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes. It has no UI of its own and will not do anything by itself; install this module only if some other module tells you to.

We're aware of the following modules using ACL (let us know if you know of others):

Menu Admin per Menu

By default, Drupal allows only users with the Administer menus and menu items permission to add, modify or delete menu items.

Menu Admin per Menu allows to give roles per menu admin permissions without giving them full admin permission.

For instance, you may let certain users manage the items of the Main or Navigation menus but not those of the Management menu.

Try out a demonstration
Watch a screencast

Search configuration

Combining both search forms, hiding fields, changed labels & reducing node types

This module has five main functions.

  1. Alter the appearance of the core node search form
  2. Group content types for more meaningful searching
  3. Restrict search results by the content type.
    This is a role based restriction.
  4. Restrict search results from showing individual items.
  5. Alter the pager limit (aka number search item results per page).

Admin user (uid 1) is exempt from restrictions.

Lightweight Directory Access Protocol (LDAP)

Overview

The Lightweight Directory Access Protocol (LDAP) project provides integration with LDAP for authentication, user provisioning, authorization, feeds, and views. It also provides apis and building blocks (query and server configuration storage) for other modules.

SpamSpan filter

The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them. It implements the technique at the SpamSpan website (a German version is also available). The problem with most email address obfuscators is that they rely upon JavaScript being enabled on the client side. This makes the technique inaccessible to people with screen readers. SpamSpan however will produce clickable links if JavaScript is enabled, and will show the email address as example [at] example [dot] com if the browser does not support JavaScript or if JavaScript is disabled.

This technique is unlikely to be absolutely foolproof. It is possible in theory for a determined spambot to harvest addresses from your site no matter how you disguise them. But research suggests that the by far the great majority of spambots do not bother to attempt to collect addresses which have been hidden using JavaScript. Indeed, most spambots cannot currently read JavaScript at all.

Here are a links to the results of a few experiments into the efficacy of JavaScript obfuscation. Let me know if you know of any more.

http://www.cdt.org/speech/spam/030319spamreport.shtml (2003)

Persistent Login

The Persistent Login module provides a "Remember Me" option on the user login form. Persistent Login is independent of the PHP session settings and is more secure (and user-friendly) than simply setting a long PHP session lifetime.

Administer Users by Role

This module allows site builders to set up fine-grained permissions for allowing "sub-admin" users to manage other users based on the target user\'s role.

The module defines new permissions to control access to edit/delete users - more specific than Drupal Core\'s all-or-nothing 'administer users'. It also provides and enforces a 'create users' permission.

The Drupal 8 version adds fine-grained control of assigning roles and viewing users, with an optional simple configuration mode.

Image CAPTCHA Refresh

Image CAPTCHA Refresh

Drupal 8

This module is going to be part of CAPTCHA module, see https://www.drupal.org/node/2608540 for updates.

Description

This module adds the link for refreshing image into very popular module for widget image_captcha.

Secure Login

Secure Login

For sites that are available via both HTTP and HTTPS, Secure Login module ensures that the user login and other forms are submitted securely via HTTPS, thus preventing passwords and other private user data from being transmitted in the clear.

Secure Login module locks down not just the user/login page but also any page containing the user login block, and any other forms that you configure to be secured.

Username Enumeration Prevention

What Is Username Enumeration Prevention

By default Drupal is very secure (especially Drupal 7). However, there is a way to exploit the system by using a technique called username enumeration. Both Drupal 6 and 7 have this issue, but it is much worse for people using Drupal 6. This is because Drupal 6 does not have any built in brute force prevention. When an attacker knows a username they can start a brute force attack to gain access with that user. To help prevent this, it is best if usernames on the system are not easy to find out.

Attackers can easily find usernames that exist by using the forgot password form and a technique called “username enumeration”. The attacker can enter a username that does not exist and they will get a response from Drupal saying so. All the attacker needs to do is keep trying usernames on this form until they find a valid user.

This module will stop this from happening. When the module is enabled, the error message will be replaced for the same message as a valid user and they will be redirected back to the login form. If the user does not exist, no password reset email will be sent, but the attacker will not know this is the case.

Spamicide

The purpose of Spamicide is to prevent spam submission to any form on your Drupal web site. Spamicide adds an input field to each form then hides it with css, when spam bots fill in the field the form is discarded. The field, and matching .css file, are named in such a way as to not let on that it is a spam defeating device, and can be set by admins to almost anything they like(machine readable please). If logging is set, the log will show if and when a particular form has been compromised, and the admin can change the form's field name (and corresponding .css file) to something else.

Taxonomy Access Control

Access control for user roles based on taxonomy categories (vocabulary, terms).

simpleSAMLphp Authentication

simpleSAMLphp fish logo

This module integrates Drupal with SimpleSAMLphp, the most robust and complete implementation of SAML in PHP. It makes it possible for Drupal to communicate with SAML or Shibboleth identity providers (IdP) for authenticating users. The resulting Drupal site can effectively act as a SAML or Shibboleth service provider (SP).

Prerequisites

  • SimpleSAMLphp - you must have SimpleSAMLphp version 1.6 or newer installed and configured to operate as a service provider (SP).

NOTE: Your SimpleSAMLphp SP must be configured to use something other than "phpsession" (the default) for session storage. The alternatives are memcache or sql. The sql option was added in SimpleSAMLphp version 1.7. The simplest solution for folks running SimpleSAMLphp version 1.7 or higher is to edit the SimpleSAMLphp config/config.php by setting store.type => 'sql' and 'store.sql.dsn' => 'sqlite:/path/to/sqlitedatabase.sq3'

Features

  • Just-in-time provisioning of Drupal user accounts based on SAML attributes (configurable).
  • Automatic role assignment based on SAML attributes (configurable).
  • Dual mode - support for traditional Drupal accounts and SAML-authenticated accounts at the same time (configurable).

User registration password

Administration settings D8

Let users register with a password on the registration form when verification mail is required.

By default, users can create accounts directly on the registration form, set their password and be immediately logged in, or they can create their account, wait for a verification e-mail, and then create their password. With this module, users are able to create their account along with their password and simply activate their account when receiving the verification email.

The variable module, mail editor and commerce checkout are supported in the D7 version and the module is now in use in some complex setups.

Supported / related modules Drupal 7:

Status D8 version:
User registrationpassword is compatible with Drupal 8 core from 8.1.9 / 8.2.1 due to #2765437, it will not work (and can't) with any older version.

Please report your findings in the user_registrationpassword issue queue. The issue queue is also open for new feature requests while a release candidate (RC) has not been released, be bold! And obviously we could do with more people testing the module.

Encrypt

Encrypt is a Drupal module that provides an application programming interface (API) for performing two-way data encryption. It allows modules to encrypt data such that it can be decrypted using the same key that was used to encrypt the data. This is useful for storing sensitive information. This module is an API that other modules can use to encrypt data. It doesn't provide any user-facing features of its own, aside from administration pages to manage configuration.

Paranoia

The Paranoia module attempts to identify all the places that a user can evaluate PHP via Drupal's web interface and then block those. It reduces the potential impact of an attacker gaining elevated permission on a Drupal site.

Two-factor Authentication (TFA)

Second-factor authentication for Drupal sites. Drupal provides authentication via something you know -- a username and password while TFA module adds a second step of authentication with a check for something you have -- such as a code sent to (or generated by) your mobile phone.

Key

Key provides the ability to improve Drupal security by managing sensitive keys (such as API and encryption keys). It gives site administrators the ability to define how and where keys are stored, which allows the option of a high level of security and allows sites to meet regulatory or compliance requirements.

Google reCAPTCHA

This module provides integration with Google reCAPTCHA service for protection site forms.
Read more: http://www.google.com/recaptcha
This new service from Google opens new epoch in spam protection technology.

Even if the site has no comment (or similar) form - it is still necessary to protect!
Why? Because CAPTCHA protects login form (Your site has it, right?) and not allow bad guys to brute-force and use vulnerability like this: https://www.drupal.org/node/2378367

Advantages over standard CAPTCHA:

  • During form creation and form submission special requests will be sent to Google servers - Your server will not spend resources for creating CAPTCHA widget or recognition is this spam or not.
  • This service provide advanced clever technology to recognize spam and this is permanent evolution.
  • This CAPTCHA is very easy for site visitors. In half cases it is enough just click "I'm not a robot"! :)

Advantages over others CAPTCHA modules:

  • Standalone module - no dependencies, no additional modules! This module provides only the needful functionality for integration and protection - nothing excess!
  • Uses latest version of Google CAPTCHA V2 API.

AES encryption

This module is unsupported due to a security issue the maintainer didn’t fix. See AES - Critical - Unsupported - SA-CONTRIB-2017-027 for details.

If you want to use this module, your options are:

Pages