MyPage is a personalized page based on your interests.The page is customized to help you to find content that matters you the most.

I'm not curious

Protecting Your Website: What You Need to Know About Drupal Security

Published on 18 June 18
Protecting Your Website: What You Need to Know About Drupal Security - Image 1

Drupal is used by 2.1% of all the websites in the world, and with content management system market share of 4.0% is the third most widely used CMS, behind WordPress with a 59.9% share and Joomla with a 6.1%.

With an active and committed developer community, constant updates, and a wide variety of available modules, Drupal is a versatile platform suitable for everything from personal blogs to ecommerce websites.

Even though Drupal is not the platform with the highest number of reported security issues or breaches, because of the recent exploit involving a remote code execution vulnerability, lovingly dubbed Drupalgeddon 2 (following the first one from 2014), this CMS is currently under additional scrutiny.

If you are running a business of any kind and use a Drupal based website for interactions with customers, as an online marketplace, to store or process sensitive personal data on it, or basically, to do just about anything more serious than posting an article every once in a while, you might stand to lose quite a bit if your site is compromised. Here’s how to prevent that from happening.

Constant Updates

Despite Drupal 8.x being around for years now, its 7.x iterations are still four times as popular as the latest version. If you think that just ensuring that you have the latest update for your version in enough to stay relatively safe, think again. A number of older branches are no longer supported, and some are only getting updates in cases of major vulnerabilities.

That’s why if you still prefer 7.x you should update it to 7.58, or, probably as the best recourse, go straight to 8.5.1. While there are auto-update options or modules you could rely on, make it a point to periodically check up on everything manually, and ensure you are up to date.

Modules need to be updated too. It doesn't matter if all of them are coming from top Drupal website design companies and how reliable they usually are, you need to keep checking their compatibility with your current Drupal deployment and other elements of your website.

However, it’s not only out of date modules that you should pay attention to, it’s all of them. Depending on what they do, what permissions they have, and how they are implemented, modules can provide intruders with an entry point, or a so-called, back-door. That’s why you should never use more modules than you absolutely need, and then ensure that their security standards are satisfactory.

Despite them being a potential risk, modules can also do a lot to protect your site from different types of intrusion - from preventing spam by serving visitors with a captcha, to giving you an option to use multi-verification login forms. Drupal’s module repository is a great place to start looking for suitable modules, but there are decent ones available outside of it as well.

They can’t steal what they can’t find, right? Depending on the type, amount and purpose of sensitive data you handle, you might want to consider additionally limiting access to it.

With the General Data Protection Regulation in full force, you might easily be held responsible for failure to protect someone's personal data. In order to prevent this, a lot of webmasters turn to data pseudonymization. This is basically stripping the data of personal identifiers, and keeping the key needed to retrieve them separately from the data itself. This way, even if your security measures fail, the damage is minimized.

Apart from data segmentation, you should also seriously consider segmenting the user access privileges that your employees have. Even if you have complete trust in their intentions and capabilities, every employee, as well as outside contractors or consultants should only be given exactly as much access and authority as they need, not an ounce more.

This not only prevents breaches, but if they do happen, allows for greater transparency in user actions. Aside from assigning accountability, this kind of insight is invaluable for the event analysis and identification of vulnerabilities.

Backup Everything
While planning for the worst case scenario doesn’t seem like the most proactive way to approach the problem, it is one of the most essential steps you need to take. Naturally, you need to ensure that your backup methods don’t create new vulnerabilities, so be careful how and where you keep your backups.
Despite the recent buzz around a major exploit, Drupal is, on average, just as secure as other CMS platforms. However, just like with other content management systems, you need to stay on your toes when it comes to following security best practices. Among other things, this includes regular updates of your Drupal deployment and individual modules; limiting user authorization;
segmenting the data you store; and keeping backups, if everything else fails. Aside from this, make sure to occasionally check out the security page on to see if new vulnerabilities have been discovered, and you shouldn't have too much trouble.
This blog is listed under Open Source , Development & Implementations and IT Security & Architecture Community

Related Posts:
Post a Comment

Please notify me the replies via email.

  • We hope the conversations that take place on will be constructive and thought-provoking.
  • To ensure the quality of the discussion, our moderators may review/edit the comments for clarity and relevance.
  • Comments that are promotional, mean-spirited, or off-topic may be deleted per the moderators' judgment.
You may also be interested in
Awards & Accolades for MyTechLogy
Winner of
Top 100 Asia
Finalist at SiTF Awards 2014 under the category Best Social & Community Product
Finalist at HR Vendor of the Year 2015 Awards under the category Best Learning Management System
Finalist at HR Vendor of the Year 2015 Awards under the category Best Talent Management Software
Hidden Image Url