Top Security Modules for Your Drupal 9 Website

In recent years, the ease of building websites has expanded. Thanks to content management systems (CMS), like Drupal, business owners are now responsible for website security. Yet, many owners do not know how to make their website safe.

Whether you run a small business or enterprise, users expect a safe online experience. You must keep customer information safe and take all necessary precautions and leave no stone unturned.

If you have a Drupal 9 website and you want to take precautionary measures then here are the top security modules that will help you secure your Drupal 9 website.

Top Security Modules for Drupal 9 Websites:

1. Security Kit

SecKit provides Drupal with various security-hardening options and it lets you mitigate the risks of exploitation of different web application vulnerabilities. This Drupal 9 security module lets you implement Content Security Policy, control over Internet Explorer / Apple Safari / Google Chrome internal XSS filter, prevent content upsniffing and serving files with incorrect MIME-type, handle Origin HTTP request header and more. Catalyst IT and Acquia are the supporting organizations for this module.

For more details:
Documentation: Documentation and examples of usage are included on the module's settings form.

Security Kit Screenshot

2. Password Policy

Password policy module lets you define a password policy with a set of constraints which must be met before a user password change is accepted. Each of these constraints has a parameter allowing for the minimum number of valid conditions which must be met before the constraint is satisfied. This security module also implements a password expiration feature forcing the user to change their password after a set time period. The only drawback is that the module only applies to passwords set via user forms in the web interface. Classic Graphics, Acquia, CivicActions, Mediacurrent and CI&T are the supporting organizations.

For more details:
Documentation: Password Policy 7.x

3. Username Enumeration Prevention

The Username Enumeration Prevention module aims to mitigate common ways of anonymous users identifying valid usernames on a Drupal site. Username enumeration is a technique used by malicious actors to identify valid usernames on a web application, which can then be used in other attacks such as credential stuffing. With this module you can get warnings on admin status reports if site configuration could expose usernames, prevent password reset form from displaying the following messages and convert 403 Access Denied responses to 404 Not Found on user profiles. PreviousNext is the supporting organization for this Drupal 9 security module.

For more details:

4. Disable Login

This Drupal 9 security module is for websites that are not open to the public and have no need for public user login requirements like in a blog or corporate website. It restricts access to the default Drupal login page from anonymous users. The module protects the login page with a secret key name-value pair which the admin can set. When accessed without the secret-key value pair, the default login page will show a message of access denied. This secret key can be programmatically modified to suit your requirements. Zyxware Technologies is the supporting organization for this module.

For more details:

5. Flood Control

This security module provides an interface for hidden flood control variables like login attempt limiters and makes it possible for site administrators to remove IP addresses and user IDs from the flood table. Finalist is the supporting organization for this Drupal 9 module.

For more details:

Flood Control Drupal
Flood Control Drupal

6. Two-Factor Authentication (TFA)

TFA is a base module for providing two-factor authentication for your Drupal site. Drupal provides authentication via a username and password while, TFA module adds a second step of authentication with a check like maybe a code sent to or generated by your mobile phone. This security module handles the work of integrating with Drupal, providing flexible and well tested interfaces to enable your choice of various two-factor authentication solutions. The module stores some sensitive data which it encrypts using the PHP OpenSSL extension, hence you will need to have the OpenSSL extension installed to use the module. Acquia is supporting the Drupal 7 development, is supporting the ongoing development and 1xINTERNET is supporting the Drupal 8 and Drupal 9 support.

For more details:
Documentation: Two-factor Authentication 7.x

7. Key

This Drupal 9 module provides the ability to improve Drupal security by managing sensitive keys like API and encryption keys. It gives site administrators the ability to define how and where keys are stored, which allows the option of a high level of security and allows sites to meet regulatory or compliance requirements. The security module provides an administration page where users with the "administer keys" permission can add, edit, and delete keys. Townsend Security had sponsored the initial development for this module and is supporting the ongoing maintenance with Cellar Door.

For more details:
Documentation: Key 7.x and Key 8.x

8. Encrypt

Encrypt is a Drupal security module that provides an API for performing symmetric or asymmetric encryption. It allows integrating modules to encrypt and decrypt data in a standardized manner. The module doesn't provide any user-facing features of its own, aside from administration pages to manage encryption profiles. You can create any number of encryption profiles that may then be used by other modules to encrypt and decrypt data. Townsend Security is supporting organization for this module.

For more details:
Documentation: Encrypt 7.x and Encrypt 8.x

9. Security.txt

The Security.txt module allows a drupal site to serve a security.txt file and provides a friendly administration user interface. It provides an implementation of the security.txt standard which is currently a draft RFC. The purpose of this Drupal 9 security module is to provide a standardized way to document your website’s security contact details and policy. This allows users and security researchers to securely disclose security vulnerabilities to you. It enables you to control the permissions granted to each role at /admin/people/permissions. You can also provide a digital signature for your security.txt file by following the instructions on the 'Sign' tab of the module’s configuration page.

For more details:

These modules will help you secure your Drupal 9 website and ensure that customer information is safe and you have taken all the necessary precautions. Which module would you recommend?

Note: This is a compilation of modules picked by our editorial team from

Important: The Author has written a similar article previously for Zyxware Technologies.

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.

Related Organizations

Advertisement Here

Upcoming Events

Advertisement Here