Mon, 2010-01-11 18:00

It's hard to tell how truly secure your website is. We personally consider Drupal to be very secure in comparisson to other Content Management Systems out there, and it can always be improved. I'm gonna go through a handful of modules that I always keep handy and often install. Know beforehand, some module settings or even modules might not be useful to specific projects, be discrete.

CAPTCHA (Module Page)

Most people already know what a captcha is, this is the primary CAPTCHA module for Drupal. It comes with an image challenge, which is the type of captcha you see all the time with swirling letters and such, and a math challenge, it asks you to solve a simple math problem like "2 + 4 = ___".

You can expand the module to use reCaptcha, I particularly think that the concept behind reCaptcha is pretty awesome.

reCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows. Check out our paper in Science about it (or read more below).

A strong captcha is good to keep your registration pages and/or anonymous comments relatively safe from spam bots. Spam bots are pretty contrived, they register and post everywhere possible on your page. The best approach to spam is to add different hurdles that would be relatively easy for a human to do but hard for an average spam bot to do, as opposed to the single undefeatable captcha that not even a human can read.

More spam prevention modules

  • Spam - numerous tools to auto-detect and deal with spam content
  • Antispam - similar to spam but using third party detection systems like Akismet
  • Mollom - Provides captchas and spam filtering.

Login Security (Module Page)

This concept of this module is pretty straight forward; stopping anyone from trying to guess a password, either manually or via brute force attack. The settings are very flexible, you can choose to block a user or block a host altogether. You can set it to e-mail you after x amount of failed login attempts. This will keep the guessers abay.

Secure Password Hashes (Module Page)

Passwords are stored in the form of an MD5 hash in Drupal and most CMS'. When a hacker gains access to your database through an exploit or mysql injection. 9 out of 10 times, hackers attempt to view the contents of your user table.

In order to stop them from breaking into user accounts, passwords are encrypted using one way encryption (MD5). This means that if your password is "cool" the md5 hash will look like this b1f4f9a523e36fd969f4573e25af4540. Since it's a one way encryption, you can't decrypt the hash. This stopped hackers only for a little bit of time, the reasoning is that if cool always makes the same hash, you can create hashes out of all possible word combinations and then by comparisson figure out what the hash is conceiling.

phpass uses much more secure encryption methods, besides using stronger encryption methods, it has the ability to randomly "salt" passwords during encrpytion to create a more unique value and making the hash much harder to figure out.


Written by