The Security Review module automates testing for many of the easy-to-make mistakes that render your site insecure.
Get started easily
It's quick and easy to get started. Download and enable the module and just hit the "Run checklist" button to see results.
Security Review runs the following checks:
- Safe file system permissions (protecting against arbitrary code execution)
- Text formats don't allow dangerous tags (protecting against XSS)
- Safe error reporting (avoiding information disclosure)
- Secure private files
- Only safe upload extensions
- Large amount of database errors (could be sign of SQLi attempts)
- Large amount of failed logins (could be sign of brute-force attempts)
- Responsible Drupal admin permissions (protecting against access misconfiguration)
- Username as password (protecting against brute-force)
- Password included in user emails (avoiding information disclosure)
- PHP execution (protecting against arbitrary code execution)
- Base URL set / D8 Trusted hosts (protecting against some phishing attempts)
- Views access controlled (protecting against information disclosure)
This module does not automatically make changes to your site. You should use the results of the checklist and its resources to manually secure your site. The results of some checks may be incorrect depending on unique factors of your site.
Note that the checks provided by this module do not make for a fully secure site. Security is a process, so you should work to pass all of the Security Review checks and also audit your site for risks this module cannot check for (see below for info on one provider of those services).
New: Drupal 8 support! Try the module out on your Drupal 8 site or via https://simplytest.me/
More information about security in Drupal
- Maintenance status: Actively maintained
- Development status: Under active development
- Reported installs: 36,095 sites currently report using this module. View usage statistics.
- Downloads: 320,319
- Automated tests: Enabled
- Last modified: 22 December 2016
- Stable releases for this project are covered by the security advisory policy.
Look for the shield icon below.