Security Review

The Security Review module automates testing for many of the easy-to-make mistakes that render a site insecure. This module does not make changes to a site. You must use the results to manually secure your site. For more informtion on security, see the Drupal Security Report. Security Review runs the following checks:

  • Safe file system permissions (protecting against arbitrary code execution)
  • Text formats don't allow dangerous tags (protecting against XSS)
  • PHP or Javascript in content (nodes and comments and fields in Drupal 7)
  • Safe error reporting (avoiding information disclosure)
  • Secure private files
  • Only safe upload extensions
  • Large amount of database errors (could be sign of SQLi attempts)
  • Large amount of failed logins (could be sign of brute-force attempts)
  • Responsible Drupal admin permissions (protecting against access misconfiguration)
  • Username as password (protecting against brute-force)
  • Password included in user emails (avoiding information disclosure)
  • PHP execution (protecting against arbitrary code execution)
  • Base URL set (protecting against some phishing attempts)
  • Views access controlled (protecting against information disclosure)
Module category: 
Security
Recommendation: 
Project ID: 
security_review