Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). Varbase Media Header 9.2.1 Minor update available for module varbase_media_header (9.2.1). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

Security Review

17,411 sites Security covered
View on drupal.org

The Security Review module automates testing for common security mistakes on your website. It checks for issues like insecure file permissions, dangerous text formats, and unsafe uploads, providing a checklist to help you manually secure your site.

The Security Review module automates testing for many of the easy-to-make mistakes that render your site insecure.

Get started easily

It's quick and easy to get started. Download and enable the module and just hit the "Run checklist" button to see results. This module is meant to run in your production environment. You might choose to run it in other environments (if you have them), but some checks need to run in production to be effective.

Features

Security Review runs the following checks:

  • Safe file system permissions (protecting against arbitrary code execution)
  • Text formats don't allow dangerous tags (protecting against XSS)
  • PHP or Javascript in content (nodes and comments and fields in Drupal 7)
  • Safe error reporting (avoiding information disclosure)
  • Secure private files
  • Only safe upload extensions
  • Large amount of database errors (could be sign of SQLi attempts)
  • Large amount of failed logins (could be sign of brute-force attempts)
  • Responsible Drupal admin permissions (protecting against access misconfiguration)
  • Username as password (protecting against brute-force)
  • Password included in user emails (avoiding information disclosure)
  • PHP execution (protecting against arbitrary code execution)
  • Base URL set / D8 Trusted hosts (protecting against some phishing attempts)
  • Views access controlled (protecting against information disclosure)

This module does not automatically make changes to your site. You should use the results of the checklist and its resources to manually secure your site. The results of some checks may be incorrect depending on unique factors of your site.

Note that the checks provided by this module do not make for a fully secure site. Security is a process, so you should work to pass all of the Security Review checks and also audit your site for risks this module cannot check for (see below for info on one provider of those services).

Consult the README.txt for 8.x or 7.x for more information on installation and usage.

More information about security in Drupal

You may also be interested in:

Activity

Total releases
3
First release
Jan 2026
Latest release
1 week ago
Releases (12 mo)
3 ▲ from 0
Maintenance
Active

Release Timeline

Releases

Version Type Release date
4.0.x-dev Dev Jul 9, 2026
3.1.3 Stable Jan 23, 2026
3.1.2 Stable Jan 2, 2026