Secure your site

How hard would it be to secure a drupal site? Not that hard really, all you need is to make sure your hosting has SSL setup and working, then redirect all traffic from HTTP to HTTPS. But is redirecting all the traffic to https the most efficient way? What if you only want the login form or admin section secured? Thankfully there is a module out there to help you out. Let me present to you: Securepages Module.

In this article ill be show you how to setup the Securepages module on a drupal site. All that is required is to have drupal 5.1, Securepages module and hosting setup with SSL. I’m using XAMMP which has share SSL certificate. It does the job when trying to find out if a page has changed to HTTPS. Make sure your production server has SSL setup and working.


Installing Securepages is pretty much straight forward.

  1. Copy the tar content to sites/all/modules
  2. Head over to Administer >> Modules, then enable the module.


To configure Securepages to go Administer >> Secure Pages. The settings page is simple but there are a few things you can change.

1. Check box Switch back to http pages when there are no matches. securepages_2.png

If the actual content of your site is not sensitive data i recommend you check this box. It checks to see if the current page matches any of the pages specified to be secure. If there are no matches it switches back to http. This will take alot of load off your server when just browsing the site.

2. Pages which will be secure. securepages_3.png

Leave the radio button set to “Make secure only the listed pages”. This means that any Drupal paths specified in the “Pages” textarea will be secure. Also the paths in the textareas are “Drupal paths”. If you created a page that you want secure with an URL alias for to be make sure to use the Drupal path (node/1) to specify that you want that page secure. So simply add node/1 to the page textarea.

Ignore pages securepages_4.png

This option simply states that any pages in this textarea will not be forced to be https or http. The module will simply ignore the specified pages. Again remember to only add Drupal paths not just URLs.