{"id":7284,"date":"2023-12-07T16:15:21","date_gmt":"2023-12-07T16:15:21","guid":{"rendered":"https:\/\/www.webhi.com\/how-to\/?p=7284"},"modified":"2023-12-07T16:15:23","modified_gmt":"2023-12-07T16:15:23","slug":"install-configure-secure-drupal-website-cms","status":"publish","type":"post","link":"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/","title":{"rendered":"Install and Secure your Drupal website"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1200\" height=\"675\" src=\"https:\/\/www.webhi.com\/how-to\/gilrogre\/2023\/11\/drupal_instal_secure_en.jpg\" alt=\"Installing and Securing Drupal ubuntu debian redhat centOS \" class=\"wp-image-7298\" srcset=\"https:\/\/www.webhi.com\/how-to\/gilrogre\/2023\/11\/drupal_instal_secure_en.jpg 1200w, https:\/\/www.webhi.com\/how-to\/gilrogre\/2023\/11\/drupal_instal_secure_en-300x169.jpg 300w, https:\/\/www.webhi.com\/how-to\/gilrogre\/2023\/11\/drupal_instal_secure_en-1024x576.jpg 1024w, https:\/\/www.webhi.com\/how-to\/gilrogre\/2023\/11\/drupal_instal_secure_en-768x432.jpg 768w, https:\/\/www.webhi.com\/how-to\/gilrogre\/2023\/11\/drupal_instal_secure_en-150x84.jpg 150w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"introduction\">Introduction<\/h2>\n\n\n\n<p><strong>Drupal<\/strong> is a popular open-source content management system (CMS) used to build websites and web applications. With its modular architecture and thousands of add-on modules, Drupal is highly flexible and customizable. However, like any complex web application, Drupal requires proper configuration and hardening to ensure security.<\/p>\n\n\n\n<p>This guide will walk you through installing Drupal 10 from scratch in a Linux environment. It will also cover essential security measures to lock down access and protect against common web vulnerabilities. By the end, you will have a Drupal site ready for development with a solid security foundation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"prerequisites\">Prerequisites<\/h2>\n\n\n\n<p>Before installing Drupal, ensure your Linux server meets the following requirements:<\/p>\n\n\n\n<ul>\n<li>Ubuntu 20.04 or higher<\/li>\n\n\n\n<li>Apache 2 web server<\/li>\n\n\n\n<li>MySQL 5.7 or higher OR MariaDB 10 or higher<\/li>\n\n\n\n<li>PHP 7.3 or higher with required extensions<\/li>\n\n\n\n<li>Composer &#8211; Dependency Manager for PHP<\/li>\n\n\n\n<li>Writable directories for Drupal and its files<\/li>\n<\/ul>\n\n\n\n<p>Also, make sure you have an available domain or subdomain that points to your server\u2019s IP address.<\/p>\n\n\n\n<p>Log in as a non-root user with sudo privileges to perform the installation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-1---install-lamp-stack\">Step 1 &#8211; Install LAMP Stack<\/h2>\n\n\n\n<p>Drupal requires the Linux, Apache, MySQL\/MariaDB, PHP (LAMP) stack to operate. Use the following commands to install these components:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo apt update\n$ sudo apt install apache2 mariadb-server php php-mysql php-json php-gd php-mbstring php-xml php-curl<\/code><\/pre>\n\n\n\n<p>Install other required PHP extensions:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo apt install php-zip php-soap php-gd<\/code><\/pre>\n\n\n\n<p>Enable Apache modules needed by Drupal:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo a2enmod rewrite headers env dir mime<\/code><\/pre>\n\n\n\n<p>Secure MySQL installation:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo mysql_secure_installation<\/code><\/pre>\n\n\n\n<p>Start MySQL and Apache services:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo systemctl start mysql\n$ sudo systemctl start apache2 <\/code><\/pre>\n\n\n\n<p>Check that Apache is running properly by accessing your server\u2019s domain or IP address in your browser. You should see the default Apache page.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-2---download-drupal\">Step 2 &#8211; Download Drupal<\/h2>\n\n\n\n<p>First, navigate to the Drupal downloads page and get the latest Drupal 10 release:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ cd \/tmp\n$ wget https:\/\/www.drupal.org\/download-latest\/tar.gz<\/code><\/pre>\n\n\n\n<p>Extract the tar.gz file into the Apache web root directory:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo tar -xvf drupal-10*.tar.gz -C \/var\/www\/html<\/code><\/pre>\n\n\n\n<p>The extracted directory will be named something like&nbsp;<code>drupal-10.1.6<\/code>. Rename it to simply&nbsp;<code>drupal<\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo mv \/var\/www\/html\/drupal-10.1.6 \/var\/www\/html\/drupal<\/code><\/pre>\n\n\n\n<p>Set ownership to the web server user:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo chown -R www-data:www-data \/var\/www\/html\/drupal<\/code><\/pre>\n\n\n\n<p>Adjust file permissions:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo chmod -R 775 \/var\/www\/html\/drupal<\/code><\/pre>\n\n\n\n<p>Drupal 10 files are now in place and ready for installation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-3---create-mysql-database\">Step 3 &#8211; Create MySQL Database<\/h2>\n\n\n\n<p>Log in to MySQL prompt:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ mysql -u root -p<\/code><\/pre>\n\n\n\n<p>Create a database and user for Drupal:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"sql\" class=\"language-sql\">CREATE DATABASE drupal10db; \n\nCREATEUSER'drupal10user'@'localhost' IDENTIFIED BY'DBpa55word';\n\nGRANTALLON drupal10db.*TO'drupal10user'@'localhost';\n\nexit<\/code><\/pre>\n\n\n\n<p>Replace &#8216;DBpa55word&#8217; with a secure password.<\/p>\n\n\n\n<p>This creates a dedicated DB user with full privileges for Drupal database.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-4---configure-apache-virtual-host\">Step 4 &#8211; Configure Apache Virtual Host<\/h2>\n\n\n\n<p>Create Drupal virtual host config:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo nano \/etc\/apache2\/sites-available\/drupal10.conf<\/code><\/pre>\n\n\n\n<p>Add the following, updating paths\/domains as needed:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"apacheconf\" class=\"language-apacheconf\">&lt;VirtualHost *:80&gt;\n    ServerAdmin webmaster@localhost\n    DocumentRoot \"\/var\/www\/drupal10\/web\"\n    ServerName drupal10.example.com\n\n    &lt;Directory \/var\/www\/drupal10\/web&gt;\n        Options FollowSymlinks\n        AllowOverride All\n        Require all granted\n    &lt;\/Directory&gt;\n\n    ErrorLog ${APACHE_LOG_DIR}\/drupal10-error.log\n    CustomLog ${APACHE_LOG_DIR}\/drupal10-access.log combined\n&lt;\/VirtualHost&gt;<\/code><\/pre>\n\n\n\n<p>Enable the new virtual host and restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo a2ensite drupal10.conf\n$ sudo systemctl restart apache2<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-5---install-drupal\">Step 5 &#8211; Install Drupal<\/h2>\n\n\n\n<p>Access your domain in a web browser and start Drupal 10 installation.<\/p>\n\n\n\n<p>Select language then choose Standard installation profile.<\/p>\n\n\n\n<p>On the Verify requirements page, ensure all items are checked. Resolve any issues listed.<\/p>\n\n\n\n<p>For the database configuration use the MySQL database, user, and password created earlier.<\/p>\n\n\n\n<p>** IMPORTANT: Disable sending usage statistics to contribute Drupal improvements. This helps protect privacy.<\/p>\n\n\n\n<p>Create a site name, default admin user, and strong password.<\/p>\n\n\n\n<p>Wait for installation to complete then log in with the admin user.<\/p>\n\n\n\n<p>The base Drupal site is now installed and ready for development!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-6---configure-security-settings\">Step 6 &#8211; Configure Security Settings<\/h2>\n\n\n\n<p>After installation, it&#8217;s important to review security related settings and apply best practices to lock down Drupal.<\/p>\n\n\n\n<p>In&nbsp;<strong>Administration<\/strong>&nbsp;sidebar, go to Configuration &gt; System &gt;&nbsp;<strong>Basic site settings<\/strong>&nbsp;then under Front page content set homepage to be a blank page.<\/p>\n\n\n\n<p>Still under System, go to&nbsp;<strong>Cron<\/strong>&nbsp;and enable Cron handling. This is needed for scheduled tasks.<\/p>\n\n\n\n<p>Under Content authoring section, go to&nbsp;<strong>Text formats<\/strong>&nbsp;and configure<\/p>\n\n\n\n<ul>\n<li>Restrict HTML tags<\/li>\n\n\n\n<li>Disable JavaScript input format<\/li>\n<\/ul>\n\n\n\n<p>This helps prevent XSS issues when allowing users to post content.<\/p>\n\n\n\n<p>Next, under Media, disable the&nbsp;<strong>Local files<\/strong>&nbsp;source. Instead, configure cloud storage for uploads like S3 or equivalent.<\/p>\n\n\n\n<p>Under Configuration &gt; Media &gt;&nbsp;<strong>File system<\/strong>, set the Default download method to Privately accessible files.<\/p>\n\n\n\n<p>For higher security, in Configuration &gt;&nbsp;<strong>Media<\/strong>&nbsp;settings set Public file system path to private:\/\/<\/p>\n\n\n\n<p>This prevents accessing uploaded file paths directly through the site URL.<\/p>\n\n\n\n<p>In Configuration &gt; System &gt;&nbsp;<strong>File system<\/strong>&nbsp;ensure the sites\/default\/files Public file system path is set to private:\/\/<\/p>\n\n\n\n<p>This prevents accessing site file assets directly through the site URL.<\/p>\n\n\n\n<p>Under Configuration &gt; System &gt;&nbsp;<strong>Logging and errors<\/strong>&nbsp;enable verbose Database logging, Failed login attempts and Page not found errors.<\/p>\n\n\n\n<p>Still under Logging and errors, click&nbsp;<strong>Clean URLs<\/strong>&nbsp;Ensure &#8220;Enable clean URLs&#8221; checkbox is ticked. This improves SEO<\/p>\n\n\n\n<p>Scroll down to Bandwidth optimization section and enable the following:<\/p>\n\n\n\n<ul>\n<li>Aggregate CSS files<\/li>\n\n\n\n<li>Aggregate JavaScript files<\/li>\n\n\n\n<li>Optimize CSS files<\/li>\n\n\n\n<li>Optimize JavaScript files<\/li>\n<\/ul>\n\n\n\n<p>This reduces requests and improves performance.<\/p>\n\n\n\n<p>In Configuration &gt; SEO start by setting a site Default front page title, Default<\/p>\n\n\n\n<p>Under&nbsp;<strong>Search engine optimization<\/strong>&nbsp;tick the checkbox for &#8220;Generate meta tags&#8221; Enable clean URLs and the globe favicon.<\/p>\n\n\n\n<p>For social media, configure Facebook and Twitter options.<\/p>\n\n\n\n<p>In Configuration &gt; System &gt;&nbsp;<strong>PHP<\/strong>&nbsp;set Uploads directory outside web root to sites\/default\/files\/private<\/p>\n\n\n\n<p>This prevents accessing uploaded files directly through URL path.<\/p>\n\n\n\n<p>Set&nbsp;<strong>Max POST size<\/strong>&nbsp;and&nbsp;<strong>Max file upload size<\/strong>&nbsp;to align with site requirements.<\/p>\n\n\n\n<p><strong>Important:<\/strong>&nbsp;To apply the above changes either:<\/p>\n\n\n\n<ol>\n<li>Use Drush command line&nbsp;<code>drush cr<\/code><\/li>\n\n\n\n<li>OR go to \/update.php URL directly e.g. example.com\/update.php<\/li>\n<\/ol>\n\n\n\n<p>This will clear caches and rebuild routes for the changes to take effect.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-7-%E2%80%93-review-permissions\">Step 7 \u2013 Review Permissions<\/h2>\n\n\n\n<p>Since Drupal requires write access to certain directories, permissions should be properly configured based on least privilege principles.<\/p>\n\n\n\n<p>Check write permissions are set only on required directories:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo chown -R www-data:www-data \/var\/www\/drupal10\/web\/sites\/default\n$ sudo find \/var\/www\/drupal10\/web\/sites\/default -type d -exec chmod 775 {} \\;  \n$ sudo find \/var\/www\/drupal10\/web\/sites\/default -type f -exec chmod 664 {} \\;<\/code><\/pre>\n\n\n\n<p>Set recommended file system permissions:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo find \/var\/www\/drupal10\/web -type d -exec chmod 755 {} \\;\n$ sudo find \/var\/www\/drupal10\/web -type f -exec chmod 644 {} \\;<\/code><\/pre>\n\n\n\n<p>Secure the settings.php file:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo chmod 444 \/var\/www\/drupal10\/web\/sites\/default\/settings.php<\/code><\/pre>\n\n\n\n<p>Constant review of file permissions is important to avoid insecure defaults.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-8-%E2%80%93-secure-the-database\">Step 8 \u2013 Secure The Database<\/h2>\n\n\n\n<p>Since the database stores sensitive data, take precautions to prevent data loss or breaches:<\/p>\n\n\n\n<ul>\n<li>Avoid using the database root user. Instead, grant limited privileges to Drupal user.<\/li>\n\n\n\n<li>Set a strong password for MySQL users with length &gt; 12 chars and special characters.<\/li>\n\n\n\n<li>Don&#8217;t expose database to public network. Put it inside private subnet instead of DMZ or public subnet.<\/li>\n\n\n\n<li>Enable MySQL reverse proxy to add an additional layer of security for database traffic.<\/li>\n\n\n\n<li>Perform frequent backups and test restores.<\/li>\n<\/ul>\n\n\n\n<p>Follow backups best practices:<\/p>\n\n\n\n<ul>\n<li>Schedule daily database dumps<\/li>\n\n\n\n<li>Backup website files and code<\/li>\n\n\n\n<li>Store backups separately from the web root<\/li>\n\n\n\n<li>Encrypt backup files<\/li>\n\n\n\n<li>Test restoration on staging environment.<\/li>\n<\/ul>\n\n\n\n<p>This protects against data loss from user errors, system crashes or ransomware attacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-9-%E2%80%93-secure-the-web-server\">Step 9 \u2013 Secure The Web Server<\/h2>\n\n\n\n<p>Since Apache server will be Internet-facing it requires robust protections:<\/p>\n\n\n\n<p>Disable unused modules to reduce attack surface area:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo a2dismod status actions alias autoindex<\/code><\/pre>\n\n\n\n<p>Configure mod_security Web Application Firewall (WAF) to filter traffic:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo apt install modsecurity libapache2-mod-security2 \n$ sudo nano \/etc\/modsecurity\/modsecurity.conf<\/code><\/pre>\n\n\n\n<p>Enable mod_security rules engine:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"apacheconf\" class=\"language-apacheconf\">SecRuleEngine On  <\/code><\/pre>\n\n\n\n<p>Proxy traffic via a Web Application Firewall (WAF) for deep package inspection:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo apt install mod_security crudini\n$ crudini --set \/etc\/modsecurity\/modsecurity.conf \\\n  owasp.crs components.response.body_access false\n$ sudo systemctl restart apache2<\/code><\/pre>\n\n\n\n<p>Use HTTPS with a valid SSL certificate to enable encryption. Redirect all traffic to HTTPS version.<\/p>\n\n\n\n<p>Harden the site with additional security headers:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo nano \/etc\/apache2\/sites-available\/drupal10.conf <\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"apacheconf\" class=\"language-apacheconf\">Header set X-Frame-Options \"SAMEORIGIN\"\nHeader set X-XSS-Protection \"1; mode=block\"\nHeader set X-Content-Type-Options \"nosniff\"\nHeader set Referrer-Policy \"same-origin\"\nHeader always append X-Frame-Options SAMEORIGIN<\/code><\/pre>\n\n\n\n<p>Save file and restart Apache.<\/p>\n\n\n\n<p>This helps guard against common XSS, clickjacking and MIME attacks.<\/p>\n\n\n\n<p>For performance, enable browser caching of static assets:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"apacheconf\" class=\"language-apacheconf\">&lt;FilesMatch \"\\.(ico|pdf|flv|jpg|jpeg|png|gif|webp|js|css|swf)(\\.gz)?$\"&gt;\nHeader set Cache-Control \"max-age=604800, public\"\n&lt;\/FilesMatch&gt;<\/code><\/pre>\n\n\n\n<p>604800 seconds = 1 week. This avoids re-downloading unchanged assets.<\/p>\n\n\n\n<p>Monitor site traffic logs for anomalies indicating attacks. Implement log analysis and alerting.<\/p>\n\n\n\n<p>Stay up to date on Drupal security advisories and apply latest patches.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-10---automate-drupal-cron\">Step 10 &#8211; Automate Drupal Cron<\/h2>\n\n\n\n<p>Cron manages scheduled tasks like caching, updates, data optimization.<\/p>\n\n\n\n<p><strong>Option 1 &#8211; Run cron manually<\/strong><\/p>\n\n\n\n<p>Enable crontab access for web server user:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo crontab -u www-data -e<\/code><\/pre>\n\n\n\n<p>Add cron entry:<\/p>\n\n\n\n<p><code>* * * * * \/usr\/bin\/php \/var\/www\/drupal10\/web\/core\/scripts\/cron.sh &gt;&gt; \/var\/www\/drupal10\/cron.log<\/code><\/p>\n\n\n\n<p><strong>Option 2 &#8211; Automated cron<\/strong><\/p>\n\n\n\n<p>Use Drupal Queue Cron module to trigger cron without sys admin access<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ composer require drupal\/queue_cron\n\n$ drush en -y queue_cron<\/code><\/pre>\n\n\n\n<p>Adjust cron settings in Drupal UI at admin\/config\/system\/cron.<\/p>\n\n\n\n<p><strong>Option 3 &#8211; Use system cron daemon<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo systemctl edit cron<\/code><\/pre>\n\n\n\n<p>Paste:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"properties\" class=\"language-properties\">[Service]  \nUser=www-data<\/code><\/pre>\n\n\n\n<p>Save and exit.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ sudo systemctl restart cron<\/code><\/pre>\n\n\n\n<p>This runs cron jobs as web server user.<\/p>\n\n\n\n<p>Adjust cron settings in Drupal UI at admin\/config\/system\/cron.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-11-%E2%80%93-ongoing-maintenance\">Step 11 \u2013 Ongoing Maintenance<\/h2>\n\n\n\n<p>Set up regular tasks to ensure long term security:<\/p>\n\n\n\n<ul>\n<li><strong>Review logs<\/strong>&nbsp;&#8211; Scan Apache\/Drupal logs for signs of attacks<\/li>\n\n\n\n<li><strong>Apply updates<\/strong>&nbsp;&#8211; Patch Drupal core, contrib modules, PHP, OS security issues promptly<\/li>\n\n\n\n<li><strong>Review permissions<\/strong>&nbsp;&#8211; Fix insecure defaults<\/li>\n\n\n\n<li><strong>Backup data<\/strong>&nbsp;&#8211; Automate daily database + file backups to alternate location<\/li>\n\n\n\n<li><strong>Test restore<\/strong>&nbsp;&#8211; Verify backups integrity; test restores in staging site<\/li>\n\n\n\n<li><strong>Renew SSL certificate<\/strong>&nbsp;&#8211; Use auto-renewal to avoid expiry\/warnings<\/li>\n\n\n\n<li><strong>Monitor site<\/strong>&nbsp;&#8211; Use intrusion detection and firewalls to get attack alerts<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"conclusion\">Conclusion<\/h2>\n\n\n\n<p>With these steps, you now have a secure Drupal 10 installation tuned for performance, with protections against common vulnerabilities.<\/p>\n\n\n\n<p>Be sure to follow security best practices moving forward to ensure your Drupal site remains hardened over time. Enable logging\/monitoring and apply a &#8220;defense in depth&#8221; strategy with multiple layers of security.<\/p>\n\n\n\n<p>Stay vigilant about emerging threats by following Drupal security advisories. Automate patches to ensure you don&#8217;t miss critical updates.<\/p>\n\n\n\n<p>With ongoing hardening and proactive maintenance, you can confidently build out your Drupal functionality while keeping the backend locked down from intruders.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction Drupal is a popular open-source content management system (CMS) used to build websites and web applications. With its modular architecture and thousands of add-on modules, Drupal is highly flexible and customizable. However, like any complex web application, Drupal requires proper configuration and hardening to ensure security. This guide will walk you through installing Drupal ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[188,3],"tags":[],"yoast_head":"\n<title>Install and Secure your Drupal website - WebHi Tutorials &amp; Documentations<\/title>\n<meta name=\"description\" content=\"This article provides step-by-step instructions for downloading, installing, and configuring security measures for the Drupal content management system. Key topics include choosing the right Drupal version, enabling modules safely, and setting file permissions.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Install and Secure your Drupal website - WebHi Tutorials &amp; Documentations\" \/>\n<meta property=\"og:description\" content=\"This article provides step-by-step instructions for downloading, installing, and configuring security measures for the Drupal content management system. Key topics include choosing the right Drupal version, enabling modules safely, and setting file permissions.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/\" \/>\n<meta property=\"og:site_name\" content=\"WebHi Tutorials &amp; Documentations\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/webhi.technology\" \/>\n<meta property=\"article:published_time\" content=\"2023-12-07T16:15:21+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-12-07T16:15:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.webhi.com\/how-to\/gilrogre\/2023\/11\/drupal_instal_secure_en.jpg\" \/>\n<meta name=\"author\" content=\"webhi\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@WebHiTechnology\" \/>\n<meta name=\"twitter:site\" content=\"@WebHiTechnology\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"webhi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/\"},\"author\":{\"name\":\"webhi\",\"@id\":\"https:\/\/www.webhi.com\/how-to\/#\/schema\/person\/b31e76e2311cdc0bb90f5e2733059a54\"},\"headline\":\"Install and Secure your Drupal website\",\"datePublished\":\"2023-12-07T16:15:21+00:00\",\"dateModified\":\"2023-12-07T16:15:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/\"},\"wordCount\":1431,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.webhi.com\/how-to\/#organization\"},\"articleSection\":[\"CMS &amp; Web development\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/\",\"url\":\"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/\",\"name\":\"Install and Secure your Drupal website - WebHi Tutorials &amp; Documentations\",\"isPartOf\":{\"@id\":\"https:\/\/www.webhi.com\/how-to\/#website\"},\"datePublished\":\"2023-12-07T16:15:21+00:00\",\"dateModified\":\"2023-12-07T16:15:23+00:00\",\"description\":\"This article provides step-by-step instructions for downloading, installing, and configuring security measures for the Drupal content management system. Key topics include choosing the right Drupal version, enabling modules safely, and setting file permissions.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.webhi.com\/how-to\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Install and Secure your Drupal website\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.webhi.com\/how-to\/#website\",\"url\":\"https:\/\/www.webhi.com\/how-to\/\",\"name\":\"WebHi Tutorials &amp; Documentations\",\"description\":\"System administration and knowledge base\",\"publisher\":{\"@id\":\"https:\/\/www.webhi.com\/how-to\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.webhi.com\/how-to\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.webhi.com\/how-to\/#organization\",\"name\":\"WebHi Technology\",\"url\":\"https:\/\/www.webhi.com\/how-to\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.webhi.com\/how-to\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.webhi.com\/how-to\/gilrogre\/2022\/07\/logo.png\",\"contentUrl\":\"https:\/\/www.webhi.com\/how-to\/gilrogre\/2022\/07\/logo.png\",\"width\":288,\"height\":95,\"caption\":\"WebHi Technology\"},\"image\":{\"@id\":\"https:\/\/www.webhi.com\/how-to\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/webhi.technology\",\"https:\/\/twitter.com\/WebHiTechnology\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.webhi.com\/how-to\/#\/schema\/person\/b31e76e2311cdc0bb90f5e2733059a54\",\"name\":\"webhi\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.webhi.com\/how-to\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.webhi.com\/how-to\/ahuphiph\/litespeed\/avatar\/e20da107d0f4c765ead2eef88ad019d8.jpg?ver=1783029557\",\"contentUrl\":\"https:\/\/www.webhi.com\/how-to\/ahuphiph\/litespeed\/avatar\/e20da107d0f4c765ead2eef88ad019d8.jpg?ver=1783029557\",\"caption\":\"webhi\"},\"sameAs\":[\"https:\/\/www.webhi.com\/how-to\"],\"url\":\"https:\/\/www.webhi.com\/how-to\/author\/webhi\/\"}]}<\/script>\n","yoast_head_json":{"title":"Install and Secure your Drupal website - WebHi Tutorials &amp; Documentations","description":"This article provides step-by-step instructions for downloading, installing, and configuring security measures for the Drupal content management system. Key topics include choosing the right Drupal version, enabling modules safely, and setting file permissions.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/","og_locale":"en_US","og_type":"article","og_title":"Install and Secure your Drupal website - WebHi Tutorials &amp; Documentations","og_description":"This article provides step-by-step instructions for downloading, installing, and configuring security measures for the Drupal content management system. Key topics include choosing the right Drupal version, enabling modules safely, and setting file permissions.","og_url":"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/","og_site_name":"WebHi Tutorials &amp; Documentations","article_publisher":"https:\/\/www.facebook.com\/webhi.technology","article_published_time":"2023-12-07T16:15:21+00:00","article_modified_time":"2023-12-07T16:15:23+00:00","og_image":[{"url":"https:\/\/www.webhi.com\/how-to\/gilrogre\/2023\/11\/drupal_instal_secure_en.jpg"}],"author":"webhi","twitter_card":"summary_large_image","twitter_creator":"@WebHiTechnology","twitter_site":"@WebHiTechnology","twitter_misc":{"Written by":"webhi","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/#article","isPartOf":{"@id":"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/"},"author":{"name":"webhi","@id":"https:\/\/www.webhi.com\/how-to\/#\/schema\/person\/b31e76e2311cdc0bb90f5e2733059a54"},"headline":"Install and Secure your Drupal website","datePublished":"2023-12-07T16:15:21+00:00","dateModified":"2023-12-07T16:15:23+00:00","mainEntityOfPage":{"@id":"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/"},"wordCount":1431,"commentCount":0,"publisher":{"@id":"https:\/\/www.webhi.com\/how-to\/#organization"},"articleSection":["CMS &amp; Web development","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/","url":"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/","name":"Install and Secure your Drupal website - WebHi Tutorials &amp; Documentations","isPartOf":{"@id":"https:\/\/www.webhi.com\/how-to\/#website"},"datePublished":"2023-12-07T16:15:21+00:00","dateModified":"2023-12-07T16:15:23+00:00","description":"This article provides step-by-step instructions for downloading, installing, and configuring security measures for the Drupal content management system. Key topics include choosing the right Drupal version, enabling modules safely, and setting file permissions.","breadcrumb":{"@id":"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.webhi.com\/how-to\/install-configure-secure-drupal-website-cms\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.webhi.com\/how-to\/"},{"@type":"ListItem","position":2,"name":"Install and Secure your Drupal website"}]},{"@type":"WebSite","@id":"https:\/\/www.webhi.com\/how-to\/#website","url":"https:\/\/www.webhi.com\/how-to\/","name":"WebHi Tutorials &amp; Documentations","description":"System administration and knowledge base","publisher":{"@id":"https:\/\/www.webhi.com\/how-to\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.webhi.com\/how-to\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.webhi.com\/how-to\/#organization","name":"WebHi Technology","url":"https:\/\/www.webhi.com\/how-to\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.webhi.com\/how-to\/#\/schema\/logo\/image\/","url":"https:\/\/www.webhi.com\/how-to\/gilrogre\/2022\/07\/logo.png","contentUrl":"https:\/\/www.webhi.com\/how-to\/gilrogre\/2022\/07\/logo.png","width":288,"height":95,"caption":"WebHi Technology"},"image":{"@id":"https:\/\/www.webhi.com\/how-to\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/webhi.technology","https:\/\/twitter.com\/WebHiTechnology"]},{"@type":"Person","@id":"https:\/\/www.webhi.com\/how-to\/#\/schema\/person\/b31e76e2311cdc0bb90f5e2733059a54","name":"webhi","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.webhi.com\/how-to\/#\/schema\/person\/image\/","url":"https:\/\/www.webhi.com\/how-to\/ahuphiph\/litespeed\/avatar\/e20da107d0f4c765ead2eef88ad019d8.jpg?ver=1783029557","contentUrl":"https:\/\/www.webhi.com\/how-to\/ahuphiph\/litespeed\/avatar\/e20da107d0f4c765ead2eef88ad019d8.jpg?ver=1783029557","caption":"webhi"},"sameAs":["https:\/\/www.webhi.com\/how-to"],"url":"https:\/\/www.webhi.com\/how-to\/author\/webhi\/"}]}},"_links":{"self":[{"href":"https:\/\/www.webhi.com\/how-to\/wp-json\/wp\/v2\/posts\/7284"}],"collection":[{"href":"https:\/\/www.webhi.com\/how-to\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webhi.com\/how-to\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webhi.com\/how-to\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webhi.com\/how-to\/wp-json\/wp\/v2\/comments?post=7284"}],"version-history":[{"count":5,"href":"https:\/\/www.webhi.com\/how-to\/wp-json\/wp\/v2\/posts\/7284\/revisions"}],"predecessor-version":[{"id":7361,"href":"https:\/\/www.webhi.com\/how-to\/wp-json\/wp\/v2\/posts\/7284\/revisions\/7361"}],"wp:attachment":[{"href":"https:\/\/www.webhi.com\/how-to\/wp-json\/wp\/v2\/media?parent=7284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webhi.com\/how-to\/wp-json\/wp\/v2\/categories?post=7284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webhi.com\/how-to\/wp-json\/wp\/v2\/tags?post=7284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}