Security in Drupal

Security in Drupal

The Drupal Security Team is a team from the drupal.org community that constantly reviews the source code of the Drupal core and its contributed modules to assess their security. Over time, they correct core security vulnerabilities and ensure to inform the maintainers of the contributed modules so they can fix them. On the Drupal update administration page (DRUPAL_URL/admin/modules/update), we can distinguish a security update from a standard one because the former appears with a red background. It is very important to install security updates as they are released. Indeed, even if we believe that a known vulnerability on our website might not directly affect us, it could be used by someone to escalate privileges in our system. Therefore, we should never minimize the risk of a vulnerability and update to the latest version as soon as possible.

Additionally, the configuration of Drupal and the installed modules should be reviewed with security in mind. For example, we could ask ourselves these questions:

• Do we need to allow an anonymous user to register in the system without the administrator's approval?
• Are the permissions assigned to user roles the minimum necessary for them to perform their functions?

On the other hand, it might also be a good idea to commission an external security audit to analyze our website. This is ideal in cases where our website heavily depends on custom source code and becomes indispensable when we are talking about an online store. We must be aware that custom source code is not secure by definition just because it is not public. Indeed, secure custom source code must use API methods already provided by Drupal to filter input parameters (GET and POST) and to interact with the database.

Finally, to improve the security of our Drupal website, we can also install a WAF (Web Application Firewall) or install and configure contributed modules.