How secure is Drupal — Is it as good as they say it is? | Acro Media
Mike Hubbard


Mike Hubbard

, Front End Lead, Developer

Posted in Software & Development

April 14, 2016

How secure is Drupal — Is it as good as they say it is?

Drupal, by online software standards, is a very secure content management system (CMS). It’s arguably the most secure of the big three open source CMSs (Drupal, WordPress & Joomla!) used for building websites, but like anything on the web, there is always the potential for security vulnerabilities to be discovered and exploited.

This article will cover how the Drupal community mitigates security threats and how its security features compare to other leading CMS and commonly used proprietary platforms so you can be confident that your Drupal website is secure and in good hands.

How is Drupal secure?

Drupal is a very secure platform by online software standards, and here’s why you can trust Drupal with your website, big or small:

Drupal meets Open Web Application Security Project (OWASP) standards

OWASP is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software.”

They have identified a list of Top 10 security risks to help guide online software security development. Drupal’s security is designed to meets OWASP standards and is actively screened to continually prevent future risks.

For a more detailed look at how Drupal addresses each of the OWASP Top 10 security risks, learn more here.

Drupal Security Team

Drupal is used by millions of websites, so the security of the platform is taken very seriously. Formally formed in 2005, the Drupal Security Team consists of about 40 security experts from around the world, whose task is to analyze and report security vulnerabilities discovered in the core Drupal platform and community-contributed modules. The team then provides resources and assistance to resolve the issues, as well as generate documentation to help developers write secure code and protect their sites.

Here’s a fun infographic about how the Drupal Security Team works to keep Drupal secure.

Drupal security release

Source: Infographic: How Drupal combines open source, openness, and security 

A huge community keeping constant watch

The Drupal community is one of the largest in the world, with over 1,000,000 developers, designers, trainers, strategists, coordinators, editors and sponsors all working together to shape the platform. With all of these eyes continuously reviewing code and functionality, you can be sure that any security vulnerability will be reported to the Drupal Security Team and dealt with quickly. It is extremely rare that any serious vulnerability will ever make it into an official core software release.

Secure, open source code base

Thanks to the diligent work the Drupal Security Team and the community at large Drupal’s core code base is very stable and secure. Any user contributed module to extend Drupal is built off of this extensively-reviewed base and undergoes the same scrutiny by the Drupal community. A contributed module must first be approved by the team of Drupal core maintainers before being released to the larger community. Once in the community, others can then download, review the code, submit bug reports and make feature requests. All of this happens in plain sight because Drupal is fully transparent, open source software.

Password security

At first install, Drupal encrypts any password stored in the database. These passwords are salted and hashed multiple times, meaning they’re obscured lengthened to help prevent dictionary and brute force password cracking attacks.

To further enhance password security, many user contributed modules can be added to support SSL and 2-factor authentication.

Many single sign-on systems — Google Sign-in, OpenID, etc. — can also be integrated to provide an alternative method for users to login.

Refined access controls

Access controls in Drupal can be setup for any instance, with a full degree of control. This means you can set up account types for anyone situation, whether it’s for user accounts in an online store, magazine content publishers and editors, social community websites, etc... Any and all access control situation is possible.

Database encryption

Drupal can be configured to encrypt either the whole website database or very specific parts of the database — user accounts, forms, content types, et al. This level of encryption means Drupal can be configured to pass PCI, HIPPA, and any other privacy standard or law.

Built-in security reporting

The key to keeping any CMS as secure as possible for as long as possible is to make sure your site is properly configured and that the platform and any add-on plugins are up to date. Drupal provides notification and reporting for all of these things, including update details and recommendations, to ensure that any security vulnerabilities that may appear on your site are patched immediately.

Alright it’s secure… prove it!

Hopefully by now you can see that Drupal is a very secure. Just don’t take our word for it though, check out the list of organisations below that have trusted Drupal as their secure CMS platform for their website..

The White House
That’s right. Drupal runs the White House (website). You can read about why the Obama administration chose Drupal here.

Other Governmental Websites

(state, provincial & national)
Over 300 governmental websites in the USA, and over 50 in Canada, are built on Drupal. Worldwide, thousands of Drupal based governmental websites have been built in more than 150 countries. Check out the list.

International Organizations

TV & News Media

Higher Education

Tech & Services

Sports & Entertainment

How does Drupal compare to other top CMS platforms — WordPress & Joomla!?

Drupal, Wordpress and Joomla! are all very secure platforms when the software is kept up to date. They all have a huge development community and massive user base, therefore security is at the forefront of ongoing development for each software package.

The general rule of thumb is that WordPress and Joomla! are fine for small to medium sized sites, and Drupal is great for these sites too, plus it is scalable to huge enterprise sites. What your website needs to do, the platform you prefer or the company you work with will ultimately determine the software you should use. Drupals flexibility is why we chose it as our primary CMS, and we love it; it does absolutely everything.

Also, the fact that the White House and so many other governmental organizations chose to use Drupal speaks highly of the platform and it’s security.

How about proprietary platforms — Shopify, BigCommerce, Weebly, etc.?

The biggest advantage proprietary platforms can have over their open source counterparts is their hosting environments, out of the box, are typically more secure and controlled. If you’re working with knowledgeable service providers for your website development however, open source can be just as good, or better, because your hosting environment can be tailored to your needs.

The main weakness that can be said about proprietary platforms is that they are secretive — a “walled garden.” If there are security vulnerabilities, how long will it take a small team of developers to find them, and then push out a fix. Smaller teams also mean proprietary systems can not be tested as thoroughly as an open source platform that has a huge community behind it. Proprietary solutions could have all kinds of issues, past and present, and you would never know unless they told you. But would they tell you? What advantage do they gain from letting you know their system was flawed in some way?

In our minds, the security and programming resources gained from having so many people involved in an open source platform is enough to warrant their use. We know Drupal is secure, because we know their standards, their security guidelines and their processes for dealing with issues. It’s transparent and we like that.

Does top-notch security require a proactive approach?

Unfortunately, anything on the internet is at risk, regardless of the platform or service you use. As web software evolves, hackers continue to find and exploit holes in security. Servers could potentially be configured incorrectly leaving gaps in security. Insecure website on shared hosting servers could put your website at risk. Data centres holding files can have hardware failures.

While Drupal as a software platform is secure, complete security requires a knowledgeable, proactive approach. The following tips are a good starting point for complete peace of mind.

  1. If you’re not technically savvy, hire a company who knows the risks, can setup your website hosting environment, and can guide you along the right path.
  2. Use a trusted, open source solution.
  3. Regularly update your software (or keep a company on retainer to do this for you).
  4. Regularly backup the software and underlying database.
  5. Use strong passwords (learn more about that here) and protect your data.