Keeping Your Drupal Site Secure and Compliant: Best Practices and Expert Insights

Modern digital experiences (DX) require a content management system (CMS) that can lift brands above competitors, which is why global brands such as Mars, Stanley Black & Decker, and NASA trust open source platform Drupal to fuel their brand-differentiating experiences.

But there’s one arena organizations don’t want to be known for: cyberattacks.

As MIT professor Stuart Madnick recently reported, in 2023, data breaches reached an all-time high, and third-party and supply chain exploits grew more targeted, effective, and pervasive. Ransomware attacks alone numbered more in the first nine months of the year than in all of 2022.

In this threat landscape, a secure website is imperative. Fortunately, Drupal has retained its reputation as one of the most secure CMSs in the market. It had nearly 33% fewer vulnerabilities than WordPress did last year, for example.

Yet as secure as the platform may be, it’s as subject to attack as any CMS out there. So, how do you best safeguard Drupal sites from cybercriminals and hackers? We convened a panel of in-house experts — Robert Former, Chief Information Security Officer; Justin Cherry, Senior Principal Compliance Auditor, Director GRC; and Claudia Mueller Thomson, Director, Product Management, Cloud Platform — to answer this question and others related to the safekeeping of your Drupal site. Below are vital insights they shared — a must-read for any organization seeking to keep their Drupal site as secure as possible.

Common security threats facing websites today

The biggest and most visible security threat faced by all websites — not just those powered by Drupal — is distributed denial of service (DDoS). DDoS attacks aren’t difficult to enact, they’re cheap, and it’s hard to know who caused them.

Luckily, there are tools and practices that mitigate against DDoS attacks, but they’re one of the most frequent events that Acquia addresses, said Cherry. Customers of Acquia Edge Security find a layer of protection at the frontline via a web application firewall (WAF) that filters out bad traffic before it hits the web server or balancer, so their risk from DDoS attacks is significantly lowered.

Another vulnerability that can be laid at the feet of organizations is failing to patch or to review code. “If you don’t patch and if you don’t look over your code, you’re opening yourself up to bad actors,” says Former. “The threats that arise from inaction are as serious as the threats that arise from action. Patch, test, scan. Don’t make it easy for attackers.”

Custom or out-of-date modules are another attack vector. Cherry recommends using supported modules and monitoring your site for vulnerabilities via application security scanning. At Acquia, we offer clients Remote Administration for managing updates and maintenance, and we allow them to scan their sites on our platform to test their applications’ security.

Common mistakes made when securing websites

While ignoring patches was identified earlier as a threat, Former raised the point again to underscore its importance in securing websites. “We’ve seen a startling uptick in the number of vulnerabilities published over the last six months,” he says. Stay ahead of them by being alert and patching. 

Besides skipping patches and not reviewing code, organizations open themselves up to attack when they don’t track end-of-life (EOL) components. Be sure to incorporate the new version of a component into your code and process; the time you spend doing that will be a fraction of what it’ll cost you if you wait till you’re in production. It pays off in uptime and low incident grades.

Another common mistake is leaving security and compliance to the end or addressing them only when there’s a problem. Both should be priorities from the start and incorporated into the day to day. “Security and compliance should be planned, designed, prioritized, budgeted, hired for, and implemented as part of every new product or service an engineering team puts in place,” says Mueller Thomson.

Best practices for securing cloud-hosted Drupal sites

We’ve identified cybersecurity threats and mistakes, but what practices offer protection to cloud-hosted Dupal sites? Our panelists had plenty to say on the topic.

As a compliance specialist, Cherry is a big proponent of a secure development framework. Payment card industry (PCI) cardholder data requires a secure development methodology, for instance, but even if your site doesn’t process such data, it’s still important to have a secure development framework like OWASP in place.

When it comes to application testing, he recommends dynamic and static code scanning to identify vulnerabilities in the code or application. Penetration (or “pen”) testing is also key. Do it at least once per year unless you’re subject to a regulation that requires more frequent testing or your organization has a policy on major releases. Cherry goes a step farther and suggests manually poking at your site and trying to break it.

Former agrees wholeheartedly. “The best way to know how to fix it is to be the one who breaks it,” he says. That’s why he likes internal red teams, groups of pen testers who attack an organization’s cybersecurity defenses.

“Internal pen testers have that internal knowledge that puts them a step above external attackers and gets you another level deeper,” he continued. “So, pen test your own stuff and then test it with an external third party. By the time your third party comes in, you should already know what they’re going to find and be ready to address any surprises that you haven’t found yourself.”

A similar measure involves establishing a threat management team that looks not just inward at technical vulnerabilities but outward. What hot spots are out there? At Acquia, we have someone keeping an eye on what’s happening in Russia, Ukraine, the Middle East, Central America, and so on, Former explained. That way, we watch for what’s coming at us, and we’re not surprised.

Resources for keeping your Drupal site safe

Besides the practices outlined above, there are resources and tools that offer added safety. At Acquia, for instance, we have security-specific tooling that helps us manage, scan, and report on our platform, says Mueller Thomson. 

It’s expensive but worth every penny, she continued: “Platforms are very complex. There are many assets that need to be monitored; too many opportunities for human error. So, tooling made all the difference for us in terms of our ability to stay on top of security and compliance needs.”

Of course, Acquia offers its own tools, such as the previously mentioned Acquia Edge Security, a best-in-class WAF and DDoS protection solution. We also have Acquia Code Studio, a full-stack platform for developing Drupal sites. It integrates with secure code management practices, facilitating tests of your application so you don’t release anything that puts your data at risk.

Other resources include distribution lists that publish common vulnerabilities and exposures (CVEs) daily, as well as Drupal’s own security page. As an open source platform, Drupal benefits from ongoing scrutiny and input from developers worldwide, as well as a dedicated staff of security experts that address and release security fixes.

Those are just a handful of the many recommendations and insights that our panel of experts shared. To learn more about what they covered — managing user roles, use cases, scanning and patching processes — watch the webinar today!