Gigantic lock on bank safe

As time goes by, more and more of our personal information and daily activity gets drawn into the online world. The onset of the COVID-19 pandemic certainly accelerated this process. In the blink of an eye, remote working became the new standard, and people pushed into extended isolation needed to rely more heavily on the internet for entertainment and education.

This has significantly elevated the importance of website security. It was always worth investing in, but the potential consequences of being hacked are so much worse today. With myriad user accounts holding high-value personal and professional data and being brought together through social logins, weak security in one link of the chain can lead to everything being compromised.

Accordingly, if you run a company with a significant online presence (which should be almost every operation at this point), you need to put time and effort into ensuring that your business website is secure. In this post, we’ll consider how you can achieve this using Backdrop CMS as your foundation. Let’s get started, shall we?

Train your employees in best practices

Security threats to your website won’t always come from users, as it’s entirely possible for your employees to cause some major problems (whether accidentally or intentionally). Unless you only hire people with extensive IT expertise, you’ll need to consider that knowledge of basic security principles will vary wildly.

Some of your employees will be computer experts, accustomed to everything from multi-factor authentication to using Virtual Private Networks (VPNs) when downloading files. Others will know how to access their emails and use their smartphones but otherwise won’t have much awareness of how web systems work.

Back when office life was normal, employees could be monitored to ensure adherence to best security practices, but that’s much tougher with remote working. Accordingly, you should commit to general security training, covering matters like using strong passwords, storing passwords securely, and limiting access to vital systems to only those given express permission.

Install relevant Backdrop CMS modules

When you use Backdrop CMS for your website, you’re not limited to the features that come by default, because there are myriad modules available for it — some directly from Drupal, and others developed separately. Usefully, there are various modules that can help you improve the security of your website, and you should take advantage of this.

  • Take the Security Review module, for instance, which will automatically carry out various configuration checks and identify notable points of insecurity in your setup. If you weren’t absolutely sure of every part of the setup process, this can provide confirmation of whether anything was configured incorrectly. It can’t solve every problem, of course, but it can help prevent common mistakes.
  • The HTTP Strict Transport Security module is useful for those who can't change their web server's configuration to include the HSTS header, which declares that web browsers should automatically interact with it using only secure connections. It helps to protect websites against man-in-the-middle attacks.  
  • The Previous login module will show you the last time you logged in to your site. By viewing the previous login, people have the opportunity to notice and report suspicious activity on the site.
  • Another commonly used module is the Disable login errors module. This module can make it significantly harder for your customers to log in to your site, but it also makes it much harder for bots to cheat their way in through informed guesswork. When someone fails to log in, they won’t see any messages confirming the validity of the username they entered, or giving them any other information they could use to steer social engineering attempts.

Set appropriate user permissions

Speaking of permissions, you should make use of the robust user permissions system baked into Backdrop CMS. There are some who make the basic mistake of giving all their employees admin accounts, simply trusting that they won’t use them to make sweeping changes — but such changes aren’t always deliberate. Excess permissions is a bad idea in Windows, and it’s a bad idea in a CMS.

If you give someone extensive control over a system when you only ever need them to make simple tweaks, you’ll only have yourself to blame in the event that they mistakenly click on the wrong thing and cause a system-wide calamity. Admin access should only be granted to those who explicitly require it to do their jobs effectively. Otherwise, keep permissions reined in.

Roll out updates as soon as possible

Lastly, but not the least significantly, you must maintain the habit of updating your system on a regular basis. New security vulnerabilities are found and fixed frequently, and those fixed are included in Backdrop CMS core updates (and in updates to modules). Sticking with an old version could leave you vulnerable to a range of attacks that wouldn’t be threatening if you were on the latest version.

Now, this doesn’t mean that you don’t need to know anything about an update before you install it. You should know what the goal of the update is, what changes it makes, and how it might affect the rest of your system. Checking the release notes first will allow you to prepare for any changes.

But don’t allow your system to fall too far behind, particularly when a security update is released. Continue to check this blog for announcements about each new minor version of Backdrop CMS, and you’ll remain apprised of all the most important developments.


Wrapping up, though Backdrop CMS is a highly-secure system from the outset, there are various things you can do to improve security — both in the system itself and in your approach to using it, through your update process and the actions of your employees. Make a long-term commitment to securing your website and you’ll be able to proceed with a lot more confidence that all your hard work will be protected.

Please note, all thoughts and opinions within this article are that of the author.