SecurityJan 30, 2025·9 min read
Drupal Security Hardening: The 12-Point Checklist
Enterprise Drupal sites are high-value targets. Here's the hardening checklist I apply to every client site before it goes live — and the reasoning behind each item.
N
Nitin Shrivastava
Senior Software Engineer · Axelerant
Enterprise Drupal installations hold sensitive content, user PII, and often integrate with financial or healthcare systems. A missed hardening step can have serious consequences. Here's the checklist I run through before every production launch.
Environment & Configuration
- check_circleStore hash_salt and all secrets in environment variables, never settings.php
- check_circleSet error_level to 'hide' in production — stack traces leak implementation details
- check_circleDisable PHP execution in the files/ directory via .htaccess or nginx config
- check_circleEnable Drupal's automated update checker and subscribe to security advisories
- check_circleRestrict the /admin/* path to internal network IPs at the load balancer
settings.php
// Never hard-code secrets
$settings['hash_salt'] = getenv('DRUPAL_HASH_SALT');
// Hide errors from end users
$config['system.logging']['error_level'] = 'hide';
// Force HTTPS
$settings['reverse_proxy'] = TRUE;
$settings['reverse_proxy_addresses'] = [getenv('LOAD_BALANCER_IP')];shield
Run the Drupal Security Review module on every release. It takes under 30 seconds and catches regressions that sneak in during feature development.