Keeping Things Secure with Drupal

By Elizabeth Clor

Drupal is a behemoth in the content management world. The 20 year-old open-sourced content management system powers over 600,000 websites. And for good reason, the open-sourced offering is highly customizable and always improving thanks to its strong community. But with great power comes great responsibility: from managing every piece of data that goes into Drupal to eliminating threats like data breaches and cyber intrusions that bombard its battle-tested CMS platforms. Securing Drupal sites is vital to the data and digital asset protection of companies, developers and end users visiting Drupal sites every day.

Drupal Security Overview

Drupal’s platforms have built-in security protocols and Drupal has a lengthy record of quality site performance in the face of threats. But attackers can still find, and take advantage of, vulnerabilities to steal sensitive data, take control of servers hosting Drupal, post malicious or offensive content on a website powered by Drupal, or other serious breaches. 

As we detail in our guide to Drupal Security (required reading), every platform is outfitted with the following built-in features with the possibility of a breach in mind:

Password-based authentication: Access to Drupal accounts is secured using encrypted passwords. In addition, Drupal is designed to detect and automatically shut down individual efforts to guess a password by cycling through different possibilities.

Role-based access control (RBAC): Drupal has an RBAC framework that allows admins to assign different levels of permission to different accounts. For example, an admin can mark some accounts with read-only access permissions for website content, while allowing other accounts to modify the content.

Data validation: The Drupal API performs some automatic checks to help sanitize data and prevent attacks that mess with its integrity.

Anti-DDoS: Drupal platforms cache content to help mitigate the impact of distributed denial of service (DDoS) attacks aimed at overwhelming a website with malicious requests.

Drupal Security Best Practices

Effectively securing Drupal requires a clear understanding of Drupal's security features, ongoing familiarization with its security vulnerabilities and keeping tabs on best security practices. This is especially true for companies beholden to compliance frameworks, such as HIPAA, PCI DSS and FedRAMP. 

In order to protect your Drupal platform and help your team stay one step ahead (or, at least, parallel with) attackers, follow these best practices:

Take stock of security protocols and needs upfront. Ask questions like: Do your Drupal-based sites host any especially sensitive data? Are they subject to HIPAA, PCI DSS, FedRAMP, or other compliance requirements? Are they subject to regulations like the GDPR or CCPA based on the location of an organization or Drupal site users? Answering questions like these will help you and your team identify potential security threats and set up an overall plan for guarding against them. It will also help you determine which specific issues to prioritize when working to secure your Drupal deployments on a rolling basis.

Keep your Drupal installation up-to-date. Take steps to ensure all updates are implemented and you’re using the latest version of Drupal modules. It’s the simplest way to keep sites secure because updates are automatically available and perpetual as long as the Drupal platform is active (currently active CMS platforms include Drupal 7,8 and 9). To do so, select Manage in the Drupal admin page, click on Reports and then choose Check Manually (pictured below):

Drupal user interface graphic

Scan your site(s) regularly. You can use Drupal-specific online services, like Drupal Security Scan, or open-source tools, like Droopescan, to complete scans designed to identify pending module or platform updates, expose potential security vulnerabilities and surface Drupal issues that need to be swiftly addressed before an attacker exploits them.

Take advantage of Drupal’s built-in RBAC to manage user permissions. Admins have the ability to configure exactly what actions accounts can and can’t take—use the power to keep track of activity and potential vulnerabilities.

Pick a web host that prioritizes security. We’re biased, but selecting an external partner that values—and actively works to maintain—security is a wise step toward complete Drupal site protection. In addition to helping clients meet standard compliance regulations within specific industries, an external hosting partner should manage Drupal platform upgrades as well as data recovery and backup solutions. A key security role for an external partner should be to ensure a client’s Drupal site installs the latest version and deploys security patches when necessary to maintain site performance and customer experience integrity.

This is just a selection of the most universal security steps you can take to protect your Drupal sites and—in the process—your livelihood. 

Take the Reigns of Drupal Security

Optimizing and maintaining Drupal security is objectively challenging because attackers can attempt to breach sites in countless ways from a full DDoS attack to a casual password cycle through. On top of everything, it doesn’t matter how much Drupal experience or expertise you or your IT team possesses. The fact is that the emergence of new and unexpected Drupal security flaws, risks and vulnerabilities for developers and IT teams to keep track of—or track down—will never cease. Because of this, partnering with a team of experts who specializes in supporting and optimizing Drupal and other business-critical apps can boost overall security while keeping tabs on common or specific threats to Drupal sites—from relentless malicious requests that override security protocols to complete data breaches.

Find out how Contegix can help by requesting more information about our comprehensive Drupal services.

New call-to-action