241 Modules match your search

Extend and customize Drupal functionality with contributed modules. If a module doesn't quite do what you want it to do, if you find a bug or have a suggestion, then join forces and help the module maintainer. Or, share your own by starting a new module.


Image CAPTCHA example

A CAPTCHA is a challenge-response test most often placed within web forms to determine whether the user is human. The purpose of CAPTCHA is to block form submissions by spambots, which are automated scripts that post spam content everywhere they can. The CAPTCHA module provides this feature to virtually any user facing web form on a Drupal site.

Co-maintainer wanted

We do this our spare time, which is unfortunately almost nonexistent at the moment due to real life obligations. To give the CAPTCHA module the required level of maintenance, an extra co-maintainer would be welcome. If you're interested in helping with this very popular module, please contact me or open an issue in the CAPTCHA module issue tracker.




Uses the reCAPTCHA web service to improve the CAPTCHA system and protect email addresses.




This module implements the OAuth 1.0 standard for use with Drupal and acts as a support module for other modules that wish to use OAuth.



The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes. It has no UI of its own and will not do anything by itself; install this module only if some other module tells you to.

We're aware of the following modules using ACL (let us know if you know of others):


SpamSpan filter

The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them. It implements the technique at the SpamSpan website (a German version is also available). The problem with most email address obfuscators is that they rely upon JavaScript being enabled on the client side. This makes the technique inaccessible to people with screen readers. SpamSpan however will produce clickable links if JavaScript is enabled, and will show the email address as example [at] example [dot] com if the browser does not support JavaScript or if JavaScript is disabled.

This technique is unlikely to be absolutely foolproof. It is possible in theory for a determined spambot to harvest addresses from your site no matter how you disguise them. But research suggests that the by far the great majority of spambots do not bother to attempt to collect addresses which have been hidden using JavaScript. Indeed, most spambots cannot currently read JavaScript at all.

Here are a links to the results of a few experiments into the efficacy of JavaScript obfuscation. Let me know if you know of any more.

http://www.cdt.org/speech/spam/030319spamreport.shtml (2003)


Search configuration

Combining both search forms, hiding fields, changed labels & reducing node types

This module has five main functions.

  1. Alter the appearance of the core node search form
  2. Group content types for more meaningful searching
  3. Restrict search results by the content type.
    This is a role based restriction.
  4. Restrict search results from showing individual items.
    Use search_config 7.x-1.1-beta2 or above.
  5. Alter the pager limit (aka number search item results per page).
    Usesearch_config 7.x-1.1-beta1 or above.

Admin user (uid 1) is exempt from restrictions.


Menu Admin per Menu

By default, Drupal allows only users with "administrer menu permission" to add, modify or delete menu items.
In case you want for instance to let certain users manage primary links or secondary links but not navigation menu, this module provides this functionality.

Try out a demonstration
Watch a screencast


Lightweight Directory Access Protocol (LDAP)


The Lightweight Directory Access Protocol (LDAP) project provides integration with LDAP for authentication, user provisioning, authorization, feeds, and views. It also provides apis and building blocks (query and server configuration storage) for other modules.


Taxonomy Access Control

Access control for user roles based on taxonomy categories (vocabulary, terms).


Password policy

This module provides a way to specify a certain level of password complexity (aka. "password hardening") for user passwords on a system by defining a password policy.


Administer Users by Role

This module allows site builders to set up fine-grained permissions for allowing users to edit and delete other users — more specific than Drupal Core's all-or-nothing 'administer users' permission. It also provides and enforces a 'create users' permission.

To use this module:


Image CAPTCHA Refresh

Image CAPTCHA Refresh


This module adds the link for refreshing image into very popular module for widget image_captcha.

If you're interested in helping with this or have problems with this module, please contact me or open an issue in the Image Captcha Refresh module issue tracker.


Secure Pages Hijack Prevention

#D7CX: This functionality is in Drupal 7 core so this module will not be ported. Please stay tuned for the securepages port.

This is an add-on to the Secure Pages module that will prevent hijacked sessions from accessing SSL pages, yet still allow users to stay logged in when browsing non-SSL pages.


Captcha Riddler

Captcha Riddler form


Captcha Riddler is a sub module of Captcha that lets site administrators create their own questions to foil automated spam bots.


Taxonomy Access Control Lite

This node_access module governs access to nodes based on the taxonomy terms applied to the nodes. A simple scheme based on taxonomy, roles and users controls which content is visible.


Node access user reference

Node access user reference settings added to user reference fields.

Gives content access permissions to users for content that references the users with User reference or Entity reference.


User registration password

Administration settings D7

Let users register with a password on the registration form when verification mail is required.


AES encryption

In short, here's what this module does:

For site owners:
This module can provide you with readable passwords. Some users will be able to see other users passwords in plain text if they have a role with the permission to do so.

For developers:
This module can provide you with a very simple and easy to use encryption API. Just check out the aes_encrypt and aes_decrypt functions. It really can't get any simpler.

In a nutshell:

$encrypted_data = aes_encrypt("mydata");
$decrypted_to_plain_text = aes_decrypt($encrypted_data);

Note: This module requires an AES implementation, which can be either the PHP Mcrypt extension or the PHP Secure Communications Library.

The Mcrypt extension needs to be installed on the web server, so if you're on a shared host you probably can't use this if it's not already installed (you'll find out if you have it or not when installing this module).

If you don't have Mcrypt, then grab a copy of PHP Secure Communications Library (phpseclib) from here: http://phpseclib.sourceforge.net/

Just extract that zip into a directory called "phpseclib" inside the aes module directory and you should be good to go.


Security Kit


Module provides Drupal installation with various security hardening options. This lets your mitigate the risks of exploitation of different web application vulnerabilities.

Cross-site Scripting
    Content Security Policy implementation via Сontent-Security-Policy (official name), X-Content-Security-Policy (Firefox and IE) and X-WebKit-CSP (Chrome and Safari) HTTP response headers (configuration page and reporting CSP violations to watchdog)
    Control over Internet Explorer / Apple Safari / Google Chrome internal XSS filter via X-XSS-Protection HTTP response header
    Fix of Drupal 6 core module Upload issue http://drupal.org/node/803430 (Drupal 7 version lacks this option as long as Upload was replaced with FileField module)
    Prevent content upsniffing and serving files with incorrect MIME-type via X-Content-Type-Options: nosniff HTTP response header
Cross-site Request Forgery
    Handling of Origin HTTP request header
    Implementation of X-Frame-Options HTTP response header
    JavaScript + CSS + Noscript protection with customizable text for disabled JavaScript message
    Implementation of HTTP Strict Transport Security response header, preventing man-in-the-middle and eavesdropping attacks



Site list, profile screen and memory report. See droptor.com/tour for more

Droptor is an easy way to organize, monitor, secure and tune all of your Drupal sites in one place.



Screenshots of htmLawed module (version 3) in Drupal 7

The htmLawed module enables the use of the htmLawed (X)HTML filter/purifier with text/input formats.

Two versions of the module are available. Unlike version 3, version 2 (available for Drupal 5 and 6) allows the use of different htmLawed filter-settings for teasers (including RSS newsfeed items), as well as comments and other types of input. It also provides an option to filter submitted content before it is stored in the database, and can be configured to use different settings for different content-types (node-types). In version 3, the latter functionality is missing since it is built in Drupal 7, and can be achieved using the Better Formats module in Drupal 6. The Sanitizable (formatted text) module can be used to filter submitted content before it is stored in the database in Drupal 7.

By appropriately setting the module, Drupal administrators who are PHP coders can further finely specify the htmLawed configuration (e.g., for user-specific settings). See the handbook for more on the module.

About htmLawed


Bad Behavior

Bad Behavior is a set of PHP scripts which prevents spambots from accessing your site by analyzing their actual HTTP requests and comparing them to profiles from known spambots. It goes far beyond User-Agent and Referer, however.


OG User Roles

OG User Roles allows group administrators of organic groups to grant additional user roles to individual members of a certain group.

Any additional permissions only apply within the context of this group and not globally. This means that the additional user roles to grant are determined and assigned by the requested page; e.g. node/123 belongs to group XYZ for which the user was granted additional roles. If the user goes to another page that does not belong to the same group, the additional user roles are no longer assigned.

Additional user roles can only be granted, not revoked.

Site administrators may also configure a default user role for new group members or a default user role for new group admins.



Encrypt is a two-way encryption API module for Drupal. It allows modules to store information in a manner that it can be read if the person trying to read it has access to the key that was used to encrypt the data. This is useful when your site needs to store secret information

Why Encrypt?

There is no native way to do two-way encryption in Drupal. There is also not a very standard way of performing encryption in PHP without extensions. There is not too much need for it, but every once in awhile there is a need to do something like store passwords in a database that you need to retrieve without a user involved, and some other various use cases (keeping secret information secret even if a database dump is lost/compromised). This module aims to make it easy for your module to keep data secured in an extensible way that does not inherently require any other dependencies.


This module is an API (Application Programming Interface) that other modules can use to encrypt data. It doesn't provide any user-facing features of its own (aside from an admin screen to control which keys are used).

At it's core, there are two functions:

// Encrypt data.
$encrypted_text = encrypt('some string to encrypt');
// Decrypt data.

Encryption Methods


Commerce File

Commerce File 7.x-1.x - field widget preview

Extends Commerce License with the ability to sell access to files.

The user buys a product and gets access to all files attached to that product's commerce_file field.
Adding new files to the commerce_file field (a new software version, for instance) makes them immediately available to all users who have an active license.

Sponsored by Commerce Guys


  • The "License completion message" checkout pane allows the customer to download the newly licensed files even if he is not logged in.
  • Licensed files can be downloaded or streamed from the user's Files tab.
  • File licenses can be time limited, and are automatically expired (by cron) once that time passes.
  • The number of downloads / streams can be limited. Once the limit is reached, the file is listed, but can't be accessed.
  • Integrates with Amazon S3, allowing licensed files to be retrieved directly from Amazon, using a secret and temporary URL.

See the documentation page for information on getting started and a comparison with the legacy commerce_file 1.x branch.