Is Drupal Secure?

Blog Single
Share this Post:

Most websites only need to worry about automated security attacks. These kind of attacks have a very low success rate, but they still happen. High risk websites have to worry about someone trying to actively hack their site. Usually this happens because of a few reasons:

  • Your website has information worth stealing (ex. ecommerce site with membership records)
  • Your website has a lot of visitors
  • Someone wants to shut your website down


What is Security?

At the heart of information security is the "CIA security triad" of confidentiality, integrity and availability.
From Wikipedia:
  • Confidentiality: In information security, confidentiality is the property, that information is not made available or disclosed to unauthorized individuals, entities or processes
  • Integrity: In information security, data integrity means maintaining and assuring the accuracy and completeness of data over its entire life-cycle. This means that data cannot be modified in an unauthorized or undetected manner. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of consistency as understood in the classic ACID model of transaction processing. Information security systems typically provide message integrity in addition to data confidentiality.
  • Availability: For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks, such as a flood of incoming messages to the target system essentially forcing it to shut down.
If you break any one of these components of the triad, your security is at risk.

Thinking Securely

Security is a not a one-time event or thought. It's a frame of mind, a process. Educate yourself on site security and the risks you're facing. The less you know and the less you invest in your security, the more risks you face.
You have probably seen Drupal security in the news a lot lately because of the recent Panama Papers leak incident. According to The Guardian, this is one of the biggest leaks ever - larger than the US diplomatic cables released by WikiLeaks in 2010, and the secret intelligence documents given to journalists by Edward Snowden in 2013. There are 11.5m documents and 2.6 terabytes of information drawn from Mossack Fonseca’s internal database.
It's important to know that at the time, this organization that was hacked had both WordPress and Drupal sites that were out of date. In addition, the servers weren't patched. These are security issues that put the world's fourth biggest offshore law firm, Mossack Fonseca's database at risk. There were so many common security issues, in fact, that we may never know the true path that the attacker took to get at the information.

Common Website Security Issues

Security involves the whole software stack, not just Drupal or any other application in question. No system is immune to potential security problems. Read more about some of these top web security issues and how Drupal prevents them in Four Kitchen's article, "Is Drupal Secure? A High-Level Perspective on Web Vulnerabilities, Drupal's Solutions, and How to Maintain Site Security."
  • Cross-Site Scripting
  • Injection Flaws
  • Malicious File Extension
  • Insecure Direct Object Reference
  • Cross-Site Request Forgery
  • Information Leakage
  • Insecure Cryptographic Storage
  • Insecure Communications
  • Failure to Restrict URL Access
  • Unvalidated Input

How to Maintain Drupal Security

  • Run the latest version of Drupal: Drupal updates contain new features, bug and security fixes. Updates will help your site remain safe against common, easy-to-exploit vulnerabilities. Did you know that Drupal 6 is no longer supported?
  • Run the latest version of modules: Modules you've installed on your site can contain vulnerabilities that will increase the chance of your site being hacked. Make sure your modules are up-to-date.
  • Be selective in choosing your modules: The majority of security advisories in Drupal are associated with contributed modules. If you have a website that contains sensitive data, be wary of the security of contributed modules.
  • Remove inactive users: Users, especially administrators and others who have the ability to modify content, usually choose weak passwords. To limit any actions that can be performed, remove inactive users or change their roles.
  • Use Drupal's Status Report functionality: Drupal's Status Report page provides you with visibility into the important security controls you should be using on your site. For example, you can set up a list of Trusted Host Settings to prevent the possibility of a host header attack from occuring
  • Configure Trusted Host Settings: Drupal tries to automatically figure out the base URL of the site. This can result in a host header attack because the 'host' HTTP header can be forged by an attacker.
  • Keep an eye on your logs: Drupal has a built-in log viewer. By keeping an eye on logs, you can reduce the effects of a security breach by catching early warning signs such as failed login attempts.
  • Enable HTTPS: HTTPS should be used whenever a user is passing sensitive information to the web server and vice-versa, not just when your site contains elements such as shopping carts and Internet banking.
  • You should also have a testing environment set up and ready to evaluate updates for deployment. Drupal core updates typically come out on Wednesdays.
  • If you modify any Drupal core components, make sure to have a vendor branch management strategy to keep track of all your changes and still be able to upgrade.
  • Have code reviews
  • If you have very sensitive documents, store them separately from other resources. Attackers can use one site to get access to other sites on the same server. Isolate your projects by site and sensitivity level
  • You can work with Drupal's Security Team to keep your project secure. Subscribe to Drupal's security notification lists to stay updated on what the team is working on, what the latest issues are, and how to keep your site secure.
  • If your team is new to Drupal, work with a vendor. Interested in our security or migration services? Sanmita provides a broad spectrum of web design services, ranging from consulting to production and maintenance of websites and web applications. Contact us today to learn more about how we can help secure or upgrade your website.

The Drupal Security Team

As you may already know, Drupal is an open source platform for building websites and applications. It's currently one of the largest open source projects in the world, alongside Linux, Apache, and Mozilla. To learn more about Drupal, its core concepts, and capabilities, check out our in-depth blog post, The Least You Should Know About Drupal.
Over 15,000 developers writing code for and deploying websites and applications on Drupal. In 2005, Dries Buytaert, the founder and project lead of Drupal, and a team of contributors started talking about Drupal security. The challenge: How could they combine open and security to keep Drupal thriving and secure?
Drupal's code has to meet the very strict requirements of banks, health-care providers, and governments. Its security processes need to be carried out quickly and discreetly in order to fix any problems that arise before they become widely known or exploited. Contrary to popular belief, "security by obscurity" doesn't exactly work. Having open code can actually result in greatly improved security because anyone can find and fix any issues you come up against. You have the benefit of thousands of developers working on your code base. Anyone else's bug fix becomes your bug fix, too! Security experts regularly scrutinize Drupal's codebase and continue to judge it secure enough for their own critical sites and applications.
The Drupal Security Team was established in 2005 to help make Drupal as secure as possible. Today, the Drupal Security Team is an all-volunteer, mature, diverse group made up of the world's leading web-security experts. Members of the team are always available to assess, evaluate and address issues affecting Drupal's security.
This group assists in handling most of the security issues across the Drupal project, its core and stable contributed, plug-in models. Modules with "development" releases, or modules without supported stable releases, are not addressed by the Security Team. If you're considering using development or beta-release modules, it's advised that you request the maintainer to create a stable and supported release.
With more than 700,000 people running over 1 million websites on Drupal, new vulnerabilities can be quickly identified and confidentially reported to the Drupal Security team.

The Security Release Process

  1. Vulnerability in code discovered - Anyone can identify and report a security issue to the team. To report an issue, read and follow the Drupal guide on how to report a security issue.
  2. Issue reported privately to Security team - Security issues are handled confidentially unless a vulnerability requires advanced permissions or access to exploit. In this case, the team encourages maintainers to fix these issues publicly because they don't represent a true threat on their own.
  3. Issue reviewed, potential impact on all supported Drupal releases evaluated - There are two major release series supported at any given time. Currently, Drupal is running versions 7.x and 8.x. Drupal 6 will no longer be supported. You should always run an update to the most current version of the series you're using. We'll come back to this later.
  4. If the threat is valid, Security Team mobilized for analysis. Maintainer notified
  5. Security team provides support. Maintainer fixes the issue - Maintainers, testers and other interested parties collaborate to find a solution on a private, secure issue tracker.
  6. Fixes reviewed and discussed - Steps 1 through 4 continue until the Security Team and module maintainer are satisfied with the security issue.
  7. Code patches created and tested - the team tests the new code to make sure it doesn't introduce any new security issues
  8. New, fixed versions made available on
  9. Security advisory written and published via website, newsletter, RSS feeds for core and contributed modules, Twitter, etc.
  10. New versions deployed on all sites - You can find the "available updates" report on your Drupal site. This will tell you if your Drupal core and contributed module versions are up-to-date. It will give you download links and release notes for any new versions. These updates are not automatic, so remember to check and update regularly to keep  your site as secure as possible.

If Your Site is Hacked or Defaced

Attacks to a site can happen in a number of ways. Attackers gain access to your server using a variety of methods. Your first step in addressing the issue is to rule out other attack vectors. For example, a hacker can gain entrance to a highly protected site through another, less protected site on the same server. As we mentioned previously, it's also very important to make sure you're not running an out-of-date Drupal version.
While the Security Team doesn't address issues on an individual website by website basis, they are interested in hearing about any issues you run into. You can help prevent similar events from happening to others and in turn, the team can better protect the Drupal community as a whole. Let them know what happened by using this template.

Want more? Sign up to get our monthly newsletter delivered directly to your inbox. Receive links to the latest Drupal and web-related articles, best practices, and thought-leadership commentary.
Share this Post: