Imposing Login Limits to Protect Drupal Websites

Drupal is open source software that is used to organize, manage and publish content. Thousands of individuals, global corporations, and organizations use Drupal for personal and professional purposes. According to Drupal’s website, the free software is maintained and developed by a community of more than 630,000 users and developers. As an open-source software, the community is responsible for maintaining and improving the services of Drupal, including its security.

There are modules contributed by the Drupal community that you can install for free to enhance the security in Drupal. As a first line of defense, you can implement a login limiter to limit the number of allowed login attempts. To give hackers a hard time in accessing your site, here are five login limiters that you can use.

1. Login Security. This module improves security when logging in a Drupal site. An administrator can restrict access by adding control features in the login page. With the Login Security Module, the administrator can limit the number of invalid login attempts before blocking accounts, or deny access by IP address. Login Security can also disable Drupal core’s login error messages, making it difficult for an attacker to know whether the account exists.

2. Restrict Login. Restrict Login allows an administrator to specify an IP address or a range that a user is allowed to be logged in from. With this module, a global IP address or range may also be defined for all users and their roles. This prevents unauthorized access when the IP address does not match the IP address assigned to the user or user role.

3. Session Limit. This module allows an administrator to limit the number of simultaneous sessions per user. When a user exceeds the defined maximum number of sessions, Session Limit will force the user to log out for extra sessions. For example, if the administrator specified one session limit, if a user is logged in to a Drupal site from his work computer and then he logs in his home computer, he would be forced to either log off the work computer session or cancel the login from home.

4. Services Login Limiter. This is a sandbox project or an experimental project for developer use only and is not yet available for general use. The Service Login Limiter limits a user to log in to Drupal through a Services Resource. This is needed by mobile application developers creating Android applications. With this module, users who try to log in via browser are logged out immediately.

5. Secure Login. This module allows the user login and other information to be submitted securely via HTTPS which prevents passwords and other sensitive data from being transmitted in clear text. It is developed for sites that want to offer anonymous sessions via HTTP or HTTPS and authenticated sessions only via HTTPS. Secure Login is available for Drupal 7.

There are numerous modules which can help with security in Drupal sites. By default, Drupal is fairly secure but as Benjamin Franklin said, “An ounce of prevention is worth a pound of cure.” It is better to be safe and implement tight security in your Drupal site than be negligent and expose your site to unwanted access from hackers.