Protecting Your Website: What You Need to Know About Drupal Security
Drupal is used by 2.1% of all the websites in the world, and with
With an active and committed developer community, constant updates, and a wide variety of available modules, Drupal is a versatile platform suitable for everything from personal blogs to
Even though Drupal is not the platform with the highest number of reported security issues or breaches, because of the recent exploit involving a remote code execution vulnerability, lovingly dubbed Drupalgeddon 2 (following the first one from 2014), this CMS is currently under additional scrutiny.
If you are running a business of any kind and use a Drupal based website for interactions with customers, as an online marketplace, to store or process sensitive personal data on it, or basically, to do just about anything more serious than posting an article every once in a while, you might stand to lose quite a bit if your site is compromised. Here’s how to prevent that from happening.
Despite Drupal 8.x being around for years now, its 7.x iterations are still four times as popular as the latest version. If you think that just ensuring that you have the latest update for your version in enough to stay relatively safe, think again. A number of older branches are no longer supported, and some are only getting updates in cases of major vulnerabilities.
That’s why if you still prefer 7.x you should update it to 7.58, or, probably as the best recourse, go straight to 8.5.1. While there are auto-update options or modules you could rely on, make it a point to periodically check up on everything manually, and ensure you are up to date.
However, it’s not only out of date modules that you should pay attention to, it’s all of them. Depending on what they do, what permissions they have, and how they are implemented, modules can provide intruders with an entry point, or a so-called, back-door. That’s why you should never use more modules than you absolutely need, and then ensure that their security standards are satisfactory.
Despite them being a potential risk, modules can also do a lot to protect your site from different types of intrusion - from preventing spam by serving visitors with a captcha, to giving you an option to use multi-verification login forms. Drupal’s module repository is a great place to start looking for suitable modules, but there are decent ones available outside of it as well.
With the General Data Protection Regulation in full force, you might easily be held responsible for failure to protect someone's personal data. In order to prevent this, a lot of webmasters turn to data pseudonymization. This is basically stripping the data of personal identifiers, and keeping the key needed to retrieve them separately from the data itself. This way, even if your security measures fail, the damage is minimized.
Apart from data segmentation, you should also seriously consider segmenting the user access privileges that your employees have. Even if you have complete trust in their intentions and capabilities, every employee, as well as outside contractors or consultants should only be given exactly as much access and authority as they need, not an ounce more.
This not only prevents