Is Drupal Secure? A Guide to Drupal Security

Some of the most well-known corporations, institutions, and governments in the world — from Panasonic, UNESCO, and Pfizer to the University of Toronto and the City of London — trust Drupal as their content management system (CMS) of choice. Indeed, according to BuiltWith, the open source platform powers more than 1.7 million websites and is reputed to be one of the most secure CMSs on the market.

Yet, like any CMS, it presents a target to hackers and bad actors keen to cause havoc. Thankfully, there are numerous practices any Drupal user can implement to sidestep or thwart cyberattacks. We’ll review them in detail below, but it’s worth first understanding today’s security environment.

Drupal security overview 

No discussion of security issues and Drupal — or any CMS, actually — can begin without first acknowledging the significant changes that the COVID-19 pandemic imposed upon the world of work. Seemingly overnight, organizations shuttered their offices, sent everyone to work from home, and accelerated the digital transformation of their business and operations, whether it was through the addition of hardware, like laptops for a suddenly remote workforce, or software, like new applications that better serve distributed teams.

Welcome as some of the changes have been, they also raised the cyber risk for many businesses, because as network perimeters expanded, so too did the number of entry points for cybercriminals and their ilk. Today, there are millions upon millions more of us powering up employer-provided laptops or joining virtual classrooms. We’re logging onto business collaboration tools like Slack and Teams, attending telehealth appointments, and navigating online learning systems.

Some organizations handled the shift to remote work easily; others continue to struggle. In the face of these unprecedented changes, cybercrime has flourished, with more than 72% of organizations worldwide affected by ransomware attacks in 2023. In the United States alone, data breaches in just the first nine months of 2023 climbed almost 20% compared to all of 2022.

Fortunately, many members of the Drupal community, which counts more than 1 million members, contribute their time and expertise to ensure the software remains safe for others.

Drupal also maintains a dedicated security team, so there are even more safeguards in place. Representing consultancies, Drupal service providers, and end-users from the nonprofit, for-profit, and education sectors, the security team features almost three dozen members from more than nine countries, so there’s a breadth of perspectives that inform the platform’s security. Along with the Drupal Association, the team also coordinates Drupal Steward, an affordable web application firewall (WAF) that bridges the gap between when a security release becomes available and when a site is completely updated with the new patch.

In this digital landscape, organizations are naturally eager to ensure the safety of their content management systems, so let’s look at common risks today.

Potential security risks

How secure is Drupal? What are the risks of Drupal? All content management systems run the same security risks; Drupal is no more and no less vulnerable than other CMSs. Let’s review common threats they all face.

• Cross-site scripting (XSS). In XSS attacks, malicious code is injected into client-side scripts via JavaScript or HTML. There are three kinds of XSS attacks — reflected (non-persistent), stored (persistent), and DOM-based — and there are a number of ways to protect against them, such as using frameworks that avoid HTML tags and applying web vulnerability scanners to your databases.
   
• Authentication bypass. Weak authentication mechanisms give threat actors the opportunity to access your data and systems. Organizations may guard against it by encrypting all session IDs and cookies, as well as deploying antivirus protections.
   
• Remote code execution (RCE). In these attacks, hackers gain systems access, allowing them to remotely execute malware or other malicious code and take over an organization’s affected systems or devices. As the name implies, RCE attacks can be performed from anywhere in the world and are notable for impacts beyond system penetration, such as cryptomining and data theft.
   
• SQL injection. Sometimes known as SQLI, this attack relies on malicious SQL code to manipulate back-end databases and access data, such as customers’ personally identifiable information (PII) or company data. Developers can prevent SQL injections by avoiding dynamic queries with string concatenation and by preventing user-supplied input that contains malicious SQL from altering the logic of executed queries.
   
• Cross-site request forgery (CSRF). CSRF attacks strong-arm users into performing unwanted actions in applications where they’re currently authenticated. Successful attacks can involve anything from the transfer of funds and the alteration of information such as addresses, or they can compromise an entire web application.

Drupal security best practices

Now that we’ve gone over some of the threats most typical for CMSs, you may be asking yourself, “How do I make my Drupal site secure?” To answer that question, let’s turn to the practices and behaviors — your Drupal security checklist, if you will — that guard against vulnerabilities in Drupal.

1. Stay up to date with the latest version of Drupal and its modules

This is really the least that an organization can do to ensure the security of its Drupal application. There’s a veritable army of Drupal experts who regularly update the software with patches and fixes that fortify security weaknesses, so be sure to take advantage of such protections. (You can also learn more about upgrading to the latest version of Drupal here. In fact, the foremost reason to migrate from older versions to Drupal 10.2 is security.)

The Drupal security team also publishes weekly security advisories, but if you want up-to-the-minute news, subscribe to the e-newsletter, join the Drupal Slack group, or follow RSS feeds. Staying on top of Drupal security updates is one of your best defenses against cyber mischief.

And don’t forget to include Drupal security modules in your efforts. Here’s a list to install and update if you haven’t already:

• Automated logout. This module logs users out after a certain time period has passed.
• CAPTCHA. This module filters spambot form submissions, blocking automated scripts that would otherwise publish spam content.
• Content access. This security module determines content permissions based on author and role.
• Password policy. This module establishes secure password policies, as well as layering on another level of security against login-bots.
• Security kit (SecKit). This module offers a range of security-hardening options, helping organizations minimize their exposure to application threats.
• Session limit. This module caps the number of sessions per user.
• Two-factor authentication (2FA). This module adds another authentication layer during login attempts.
   

By incorporating the above Drupal security features, you can keep your site safe.

2. Perform consistent site backups

Should anything happen to your site, you can restore a backup, but keep in mind that its recency will depend on how regularly you back up your site. That backup should include Drupal core and its attendant modules and themes, as well as your application’s files (e.g., PDF files of uploaded content), allowing you to recover quickly after an attack.

Remember: Before performing any site updates, be sure you have a reliable backup, which is particularly important at the initial installation of a module or theme.

3. Obtain a secure sockets layer (SSL) certificate

This digital certificate authenticates a site and enables encrypted connections. Put another way, it enables websites to use HTTPS, which is safer than HTTP, and secure your users’ credentials. Without a HTTPS connection, those credentials and other data could be intercepted and sent over the internet in cleartext. A SSL certificate disrupts that because it uses symmetric and asymmetric cryptography, so even if your data is intercepted, it’ll be a mess — something no hacker wants to deal with.

A SSL certificate also has plenty of SEO and performance advantages, so get one from a trusted vendor so your site can securely transfer data.

4. Harden HTTP security headers

There are other types of HTTP headers besides those that relate to security, but the ones that pertain here tell a browser how various operations on your site should be governed. They’re a great way to fortify your web application or site against incursions like clickjacking and man-in-the-middle (MITM) attacks.

Recommended HTTP security headers to consider include:

• Content-security policy (CSP). This header allows you to precisely control allowed content sources and other content parameters.
• Strict-transport-security. This header implements the use of the encrypted HTTPS connections we discussed above instead of plain-text HTTP communications.
• X-frame-options. This header helps publishers keep attackers from using their content in an invisible frame. X-frame-options are a relic from 2008 and can be replaced today with the appropriate CSP directives.
   

While there are other HTTP security headers, such as public-key-pins and X-XSS-protection, the above are the most critical.

5. Monitor user roles and secure file permissions

Drupal offers a range of user roles, such as editors, anonymous users, and administrators. Each can be assigned specific permissions, such as the ability to read, write, or alter site operations and content.

Some roles will need a greater number of permissions, and some will be privileged accounts. In all cases, we recommend applying the principle of least privilege (POLP). The POLP is an information security standby that holds that a user should only have access to the data, applications, and resources required to complete a task. By setting limits, the POLP cuts down on the number of ways bad actors can access and harm your systems and business.

6. Sanitize inputs

Sanitization involves the removal of unsafe characters from user inputs via the addition of an input validation function or logic, which hardens the upload section. When in place, sanitization ensures the data has a valid display format and can be added to a database. Input sanitization is particularly useful in thwarting XSS and SQL injection attacks.

7. Work with a trusted hosting service

A web hosting service will maintain the stability and security of your site and applications, as well as store your data. Options to choose from include on-premise, infrastructure-as-a-service (IaaS) (sometimes known as DIY hosting), and platform-as-a-service (PaaS) providers, with each offering differing levels of security and assistance. Some will implement the practices we’ve covered here; others will be your responsibility unless you select a provider who does it all. Carefully consider your needs and what you may sacrifice should you choose a cheaper option; remember the penalties that may be levied should your site fail to meet the proper compliance requirements.

8. Use secure connections

If your web hosting provider or secure shell (SSH) client offers SFTP encryption, take it but be sure to use SFTP from port 22.

On the client side, make sure you:

• Don’t save FTP passwords or create a master password. They aren’t encoded and are stored as plain text, exposing them to threat actors.
• Tell users to refrain from accessing the site on public networks at locations like airports and cafes, which are rarely secure.
   

On the server side, take care to:

• Work only with the provider’s updated versions of PHP and MySQL. Be sure the account is properly isolated and the web application firewall configured.
• Bypass shared hosting, which can result in overcrowded servers and shared IPs.

9. Consider additional security protections

For even more protection, you may want to incorporate additional security offerings, such as:

• An IP firewall that can block or whitelist specific IPs, ASNs, or even entire countries
• A secure sockets layer (SSL) certificate that can guard online transactions and keep customer data private and secure
• Distributed denial-of-service (DDoS) protection against attacks that seek to flood a server with online traffic, preventing users from accessing services and sites supported by the server. DDoS protection stops malicious traffic from reaching its target, thereby limiting an attack’s reach.
• A bot manager that blocks malicious bot traffic from harming websites, mobile apps, and APIs
   

By considering the above options, organizations can assess whether there may be gaps in their cybersecurity and move to fill those holes before bad actors step in. Third parties or internal red teams (penetration testers that attack an organization’s cybersecurity defenses) can perform this Drupal security audit.

What’s next?

You can see how there are numerous pathways to safety for your Drupal site. And besides the measures listed here, there’s an ever-growing clutch of Drupal experts staying vigilant as they track the software’s development and post security updates. These characteristics help explain why the open source platform remains a favorite of security professionals who oversee high-traffic sites at some of the world’s best-known organizations, though Drupal has many features that endear it to content creators, publishers, designers, digital marketers, and, of course, developers.

But, if you want to stay focused on Drupal’s security aspects, check out this in-depth resource on its security and compliance advantages.