A Guide to Drupal Security: Recommendations, Vulnerabilities, and More

Drupal is an open source content management system (CMS) that powers more than 600,000 websites. Created in 2000, Drupal is one of the oldest CMS platforms still in widespread use today.

While Drupal is well-established and popular, it is subject to a wide range of potential security vulnerabilities like any CMS. Attackers can take advantage of these exploits to steal sensitive data, take control of servers hosting Drupal, post malicious or offensive content on a website powered by Drupal, and more.

Drupal offers some built-in security features to help mitigate these concerns, but any organization that uses Drupal should take additional steps to fully secure its Drupal installations. This is especially true for companies that are subject to compliance frameworks such as HIPAA, PCI DSS, and FedRAMP. Effectively securing Drupal requires understanding Drupal's security features, learning about its security vulnerabilities, and knowing best practices for keeping it secure.

How Secure is Drupal?

Drupal is designed to be as secure as possible by default. It comes with a variety of security features that help protect against several types of threats:

  • Password-based authentication: Access to Drupal accounts is secured using encrypted passwords. In addition, Drupal is designed to detect brute-force password attacks — attempts by an attacker to guess a password by cycling through different possibilities — and shut them down automatically.
  • Role-based access control (RBAC): Drupal has an RBAC framework that allows admins to assign different levels of permission to different accounts. This makes it possible to allow some users to perform certain actions that are disabled for other accounts. For example, you could assign read-only access permissions for website content to some accounts, while other accounts have the ability to modify the content.
  • Data validation: The Drupal API performs some automatic checks to help sanitize data and prevent injection attacks.
  • Anti-DDoS: Drupal caches content to help mitigate the impact of distributed denial of service (DDoS) attacks, which attempt to overwhelm a website with malicious requests in order to shut it down.

Drupal 7 vs. Drupal 8 vs. Drupal 9

The version of Drupal that your organization uses plays a role in determining how secure your deployment is out-of-the-box. Drupal 8, the most recent Drupal release, comes with more security features built into Drupal Core. In Drupal 7, an older release that is still used by many companies, some security features are available only by installing modules, and others, like Drupal 8’s use of Twig, are completely absent. Drupal 8 also supports more recent versions of PHP with attendant additional security features. Consider upgrading to Drupal 8 to take advantage of these benefits and others.

Drupal 9, which is scheduled for release in June 2020, is expected to include all of the security features of Drupal 8. Drupal 9 will also be actively supported with security fixes and other updates after Drupal 7 and 8 reach their end-of-life date — the time when support by Drupal developers will cease — in November 2021. For these reasons, it's wise to plan to update to Drupal 9 after it is released.

Vulnerabilities

Drupal enjoys a reputation as being more secure overall than other popular CMS platforms. It benefits from an active security team of developers who work to identify, announce, and resolve security issues in Drupal. The fact that Drupal is open source also helps to mitigate security problems, as anyone can view its source code and inspect it for vulnerabilities.

Despite this, security vulnerabilities in Drupal do arise, and remote code execution attacks are among the most dangerous. In this type of exploit, an attacker executes malicious software on the system that hosts a Drupal installation. Two major remote code execution vulnerabilities that impacted both Drupal 7 and 8, known as drupalgeddon2 and drupalgeddon3, were announced and fixed in 2018.

Other common types of Drupal vulnerabilities include access bypass vulnerabilities, which make it possible for users to access content that they should not be allowed to access, and denial of service vulnerabilities, which let attackers disable Drupal sites.

Security advisories

When a security vulnerability in Drupal is discovered, the Drupal community issues security advisories. Each advisory includes information about the type of attack and the conditions under which it can be carried out. Some vulnerabilities impact all Drupal installations, while others only affect certain modules or require certain Drupal configurations.

The official list of security advisories is available on Drupal’s website. Check these advisories regularly to ensure that your organization’s Drupal deployments are protected against known security issues.

12 Drupal security recommendations

Beyond simply keeping abreast of Drupal security advisories, there are a number of steps that you can take to make your Drupal installation more secure.

1. Assess your site’s security needs and risks upfront

A first step for improving Drupal security is to identify which security risks are of the greatest concern for you and your users. Ask these important questions in advance:

  • Do your Drupal-based sites host any especially sensitive data? For example, do the sites include any data that is subject to HIPAA, PCI DSS, FedRAMP, or other compliance requirements? Or are you subject to regulations like the GDPR or CCPA based on the location of your organization or your Drupal site users?
  • Are any of your Drupal users or accounts subject to special risks? For instance, are there high-profile members of your organization with Drupal accounts who might be targeted by attackers wishing to impersonate them?
  • Are you likely to be exposed to particular types of attacks based on the industry you operate in, the geographical region in which you are based, or similar factors?

Assessing potential risks will help you determine what to prioritize when working to secure your Drupal deployments. Consider taking advantage of support from a security partner to get a full picture of your risks and needs, especially if your website deals with sensitive data or faces regulatory hurdles.

Security and Compliance Guide

2. Update your modules and Drupal Core

Keeping your Drupal installation up-to-date is another simple way to improve security. You should regularly update the Drupal modules that you install. You can update modules manually by replacing each existing module with the latest version on your Drupal server. To do so, select Manage in the Drupal admin page, click on Reports, and then choose Check Manually:

You can also use Drush, which provides a command-line interface for interacting with your Drupal installation and includes commands for updating modules:

Ensure that the modules you choose to install are secure. Using modules that qualify for security advisories under Drupal’s current policy is a good start.

You should also ensure that Drupal Core is updated to the latest stable release in whichever version line you are using. If your hosting provider offers a Drupal installer, it will likely allow you to update to the latest Drupal release. If not, you can update Drupal Core by installing the latest Drupal package on your server manually or by using Drush.

3. Scan your website regularly

While scanning your Drupal-based website is not a cure-all, it can help identify security flaws. You can scan Drupal sites using online services like Drupal Security Scan or open source utilities such as Droopescan. These and similar tools will produce reports detailing any security problems that they identify on your site.

4. Tailor user permissions

As noted above, Drupal offers a built-in RBAC framework for granularly configuring which users can perform which actions within a Drupal site. Be sure to take advantage of this feature to mitigate security risks by following the principle of least privilege. This means assigning only the minimum privileges required to each account. You can find a list of all users with assigned roles by clicking on People in the Drupal admin page:

You should also run Drupal itself as a non-root user, if it is hosted on Linux, or an account without administrator privileges, if it is hosted on Windows. This approach reduces the chance that an attacker who compromises a Drupal installation will also have full access to the server that hosts it.

5. Take advantage of Drupal security modules

You can enhance the security of your Drupal sites by installing optional modules designed to improve security. Consider taking advantage of these and other security modules:

  • Security Review: This module tests your Drupal configuration for flaws that could lead to security issues. Because it runs within Drupal itself, rather than simply scanning Drupal sites from the outside, it can find flaws that standard Drupal scanners would not be able to detect.
  • Security Kit: This module provides data validation features that go beyond those built into the Drupal API. Security Kit helps to prevent code injection attacks that are executed by inserting malicious commands into Drupal sites.
  • Password Policy: This module can be used to help users to create secure passwords for their Drupal accounts by, for example, requiring that they include numbers and special symbols in their passwords.
  • Two-Factor Authentication: This module allows you to enforce two-factor authentication for logins to your Drupal account. This means that users must enter a secret, such as a PIN that they receive by email or text message, in addition to a username and password before they can log in to Drupal.

6. Pick a hosting provider focused on security

Drupal can be run on virtually any hosting platform, but it’s wise to choose a hosting provider that focuses on security. Hosting platforms that provide dedicated virtual servers instead of shared accounts on the same servers are more secure. You should also verify that your hosting provider keeps the operating systems installed on its servers patched and up-to-date.

7. Manage file permissions and access

If you have the ability to configure the server that hosts Drupal, you can improve Drupal security by ensuring that only user accounts that need to manage Drupal content have access to the files, directories and executables associated with Drupal. On Linux, you can use the chmod command to restrict access:

printf "Changing permissions of all directories inside "${drupal_path}" to "rwxr-x---"...\n"
find . -type d -exec chmod u=rwx,g=rx,o= '{}' \;

printf "Changing permissions of all files inside "${drupal_path}" to "rw-r-----"...\n"
find . -type f -exec chmod u=rw,g=r,o= '{}' \;

*partial code example

The Windows file explorer provides similar access controls in the Security tab of the Properties menu.

You can also block access to key files that are of particular interest to intruders by configuring the .htaccess file:

If using apache under 2.4:
<Files "/path/to/restricted_file.txt">
Order Allow,Deny
Deny from all
</Files>

If using Apache 2.4+:
<Files "/path/to/restricted_file.txt">
Require all denied
</Files>

8. Choose good passwords

Strong passwords help lay the foundation for the security of Drupal and any software platform. The key to choosing a good password is to ensure that your password does not appear in a so-called dictionary file, meaning a list of known passwords that an attacker could attempt when trying to brute-force a login. Passwords that are at least eight characters long and contain a mix of uppercase and lowercase letters, numbers, and special symbols are unlikely to be found in a dictionary file.

Changing default usernames can help to improve password security as well. If attackers don’t know the usernames associated with your accounts, that information becomes a second factor that they need to compromise before they can break in.

9. Use an SSL certificate

SSL certificates encrypt network traffic, which helps to prevent attackers from eavesdropping on information as it travels between servers and client computers. Without SSL encryption, an attacker could potentially “sniff” data as it travels over the network and read it in order to access sensitive information stored on your Drupal site. An SSL certificate also serves as proof that your website is authentic, so visitors can trust its legitimacy and avoid fraudulent imitations.

10. Know when, and how, to sanitize data

Data sanitization means the removal of sensitive information from data. Improperly sanitized data could contain information that attackers can exploit to gain unauthorized access to your Drupal site.

One of Drupal’s maxims is to sanitize data output — the information that Drupal displays to users — rather than data input. Drupal 8 makes use of Twig, a secure template engine for PHP, that makes it easy to sanitize data output to avoid dangerous and common cross site scripting (XSS) exploits. Twig is another great reason to make the jump to Drupal 8.

Regardless of what Drupal version you use, you should ensure that Drupal Core and your Drupal modules are configured not to include sensitive information — such as passwords or IP addresses — in information that they output. For instance, make sure that public-facing error pages or code do not include private data. Instead, direct that information to log files that only Drupal site administrators can view.

11. Make frequent backups

Backing up your Drupal site and data won’t make it less likely to be attacked per se, but it will help ensure that you can survive a data breach. If you perform regular backups, you can restore your Drupal installation to the most recently backed up version quickly.

There are a variety of methods for backing up Drupal. You could create an image of the entire server that hosts Drupal, or you could use a Drupal module like All In One Backup to back up all of the data inside your Drupal configuration. For a more hands-off backup process, managed backup providers can automate the process for you.

12. Handle private data carefully

If your Drupal site includes data that is particularly sensitive or subject to regulatory protections, such as healthcare information or payment-processing data, you should take appropriate precautions. Ensure that the data is encrypted both at rest and in transit, and restrict access to the data to those user accounts that require it.

You should also consider whether there is any reason to include sensitive data in your Drupal site. If not, then simply avoid hosting it there in the first place. Drupal is not intended to serve as a storage system for all types of data. Instead, it should only be used for creating and managing content that must be made available over the Web.

Enhance Drupal security with a trusted partner

No matter how much experience you have with Drupal, optimizing security can be a challenge. So is staying on top of the ever-changing list of security vulnerabilities and compliance requirements that impact modern developers and IT teams.

That’s why partnering with a team of experts who specialize in supporting and optimizing Drupal and other business-critical apps can take your security strategy to the next level. Find out how Contegix can help by requesting more information about our comprehensive Drupal services.

Security and Compliance Guide