UniForce the Security Extension for Websites on Drupal 9, 10

Here is a brief tutorial on incorporating key security features into a Drupal website. Before delving into the details, let's explore the rationale behind opting for UniForce.

UniForce serves as an extension compatible with any PHP site, CMS, or framework. It provides the following functionalities:

1. Conducting one-time and daily automatic tests to detect existing malware and viruses within the site's files.
2. Utilizing the UniForce Security FireWall to control and restrict website access.
3. Safeguarding a website from exploit attacks, XSS attacks, and SQL injections.
4. Defending against password guessing through brute-force attacks.

Developed by CleanTalk, a company specializing in Anti-Spam, Security, and Monitoring services for websites, this application has been active in the market since 2012, serving over 800,000 sites to date.

We commonly refer to UniForce as Universal Security Plugin suitable for every CMS.

1. Download the latest and greatest UniForce build https://github.com/CleanTalk/php-usp/releases/download/3.9.0/uniforce-3.9.0.zip.
2. Unzip the archive inside your website root folder (usually the "web" folder). You should see a folder named "uniforce" in the root of your website. Example,

shagimuratov@mbair-ds web % ls -al          
total 112
drwxr-xr-x  21 shagimuratov  staff   672 Jan 12 14:16 .
drwxr-xr-x   8 shagimuratov  staff   256 Jan 11 18:50 ..
-rw-r--r--   1 shagimuratov  staff  1025 Jan 11 18:50 .csslintrc
-rw-r--r--   1 shagimuratov  staff   151 Jan 11 18:50 .eslintignore
-rw-r--r--   1 shagimuratov  staff    41 Jan 11 18:50 .eslintrc.json
-rw-r--r--   1 shagimuratov  staff  2467 Jan 11 18:50 .ht.router.php
-rw-r--r--   1 shagimuratov  staff  8024 Jan 11 18:50 .htaccess
-rw-r--r--@  1 shagimuratov  staff    87 Jan 11 18:50 INSTALL.txt
-rw-r--r--   1 shagimuratov  staff  3205 Jan 11 18:50 README.md
-rw-r--r--   1 shagimuratov  staff   315 Jan 12 11:17 autoload.php
drwxr-xr-x  52 shagimuratov  staff  1664 Jan  5 03:27 core
-rw-r--r--   1 shagimuratov  staff  1495 Jan 11 18:50 example.gitignore
-rw-r--r--   1 shagimuratov  staff   549 Jan 11 18:50 index.php
drwxr-xr-x   4 shagimuratov  staff   128 Jan 12 11:17 modules
drwxr-xr-x   3 shagimuratov  staff    96 Jan 11 18:50 profiles
-rw-r--r--@  1 shagimuratov  staff  2027 Jan 11 18:50 robots.txt
drwxr-xr-x   7 shagimuratov  staff   224 Jan 11 18:50 sites
drwxr-xr-x   3 shagimuratov  staff    96 Jan 11 18:50 themes
drwxr-xr-x@ 15 shagimuratov  staff   480 Jan 12 11:22 uniforce
-rw-r--r--   1 shagimuratov  staff   804 Jan 11 18:50 update.php
-rw-r--r--   1 shagimuratov  staff  4039 Jan 11 18:50 web.config
shagimuratov@mbair-ds web % ls -la uniforce 
total 48
drwxr-xr-x@ 15 shagimuratov  staff   480 Jan 12 11:22 .
drwxr-xr-x  21 shagimuratov  staff   672 Jan 12 14:16 ..
-rw-r--r--@  1 shagimuratov  staff   205 Oct 12 15:27 .htaccess
drwxr-xr-x@ 18 shagimuratov  staff   576 Oct 12 15:27 css
drwxr-xr-x@  8 shagimuratov  staff   256 Oct 12 15:27 data
drwxr-xr-x@  9 shagimuratov  staff   288 Oct 12 15:27 img
drwxr-xr-x@ 10 shagimuratov  staff   320 Oct 12 15:27 inc
-rw-r--r--@  1 shagimuratov  staff  1666 Oct 12 15:27 index.php
drwxr-xr-x@ 18 shagimuratov  staff   576 Oct 12 15:27 js
drwxr-xr-x@  6 shagimuratov  staff   192 Oct 12 15:27 lib
drwxr-xr-x@  3 shagimuratov  staff    96 Oct 12 15:27 replacement
-rw-r--r--@  1 shagimuratov  staff  1265 Oct 12 15:27 router.php
-rw-r--r--@  1 shagimuratov  staff  4343 Oct 12 15:27 uniforce.php
-rw-r--r--@  1 shagimuratov  staff    32 Oct 12 15:27 version.php
drwxr-xr-x@  8 shagimuratov  staff   256 Oct 12 15:27 view
shagimuratov@mbair-ds web % 

Make sure your web server has access to the UniForce files, usually www-root or www-data should be set as the files owner,

sudo chown -R www-root:www-data uniforce
sudo chmod -R o+rw uniforce

3. Go here in your browser: SITE.COM/uniforce/index.php

4. Enter your email address and password to set up access to the UniForce settings.
5. Sign up for a CleanTalk account to get your Access key https://cleantalk.org/register?product_name=security
Fill in the Access key in the same form as on step 5.

6. (Optional) In "Additional scripts", write the path to your index.php or any other index file which you use to route requests to your site.
7. Then press the button "Install" to run the installation.
8. By default, UniForce edits the file index.php in the root folder and doesn't touch anything else. You can specify additional admin page URLs in the field "Additional scripts", just separate them by commas in the "Advanced configuration" section.

DRUPAL_ROOT/index.php
Code injection by UniForce to run FireWall and Brute-Force Protection.

//cleantalk-usp/bottom_code/start
        
if(ob_get_contents()){
ob_end_flush();
}
        if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest'){
                die();
        }
//cleantalk-usp/bottom_code/end

9. You should see a Summary page in case of success.

10. On the Settings page in the Admin page URL put the URL of your admin page, for example '/admin' and turn Brute-Force Protection on.

11. On the Malware Scanner page run the first scan. Here the app shows all found dangerous and suspicious files. Usually it takes up to 60 minutes to finish scanning.

12. You can see your Security Firewall Logs, add a new site and manage the existing sites on the Security Dashboard page.
13. To troubleshoot any issues, post a support request here: https://cleantalk.org/my/support/open

Periodical Updates of the Installed Extensions

I also recommend doing periodic updates of all installed Drupal extensions, which you can find there,

DRUPAL-SITE.COM//en/admin/modules/update
or Drupal Admin -> Administration -> Extend -> Update

It helps to keep all your installed extensions free of known vulnerabilities. Drupal publishes known security issues here https://www.drupal.org/security.