Drupal Security: Is Drupal secure?

ArticleMarch 27, 2017

Cyber security is quickly becoming a much larger part of the conversation in modern society. Somehow DVRs were able to take down some of the biggest sites on the internet and hacking played a huge role in this past year’s election rhetoric. Amidst the concern that just about everything is vulnerable, Drupal stands strong as a truly secure open-source platform that even the White House can get behind.

Those things all sound great, but who is using Drupal now?

Just like the community, the network of sites using Drupal is constantly growing. Right now, drupal.org reports over 1.2 million installs of Drupal core. According to builtwith.com, 473 of the Quantcast top 10,000 websites use Drupal, and that number jumps up to 4,341 when you look at the top 100,000.


Examples of popular Drupal Based sites that rely on Drupal's Security


  • Weather.com - This one is familiar to just about everyone. The Weather Channel currently sits at number 98 in the Quantcast top 100, and they trust their backend to stability and security Drupal provides.

  • Whitehouse.gov - Is there a better proponent for Drupal security than the White House? Regardless of your political stance, it’s tough to argue that the White House doesn’t need a scalable and secure platform.

  • Economist.com - When a 170+ year old publication needed a reliable online platform to push into the daily, digital realm, they chose Drupal. Content contributors and editors around the globe depend on Drupal to quickly and safely publish their content.

  • Wholefoodsmarket.com - With a huge number of stores, lots of original content and even some user sign-in functionality, Whole Foods require a platform that is performant, secure and easy to interact with. Drupal gives them all of that, plus more.

  • Business.pinterest.com - One of the biggest social networks trusts Drupal with their business site, which requires a stable, trustworthy platform that is easy for content administrators to interact with.

Those sites are just a few highlights in a pool of big names that trust Drupal with some or all of their web presence. If you’re interested in more examples, check out Tesla, Box, the American Red Cross, Stanford Business and the Grammys, or head over the showcases section of drupal.com.


The Drupal Community

Given that Drupal is open source software, free to use and with a codebase that is accessible to anyone who wants to examine it, there are often misconceptions about how that affects the platform’s security. At first, it may seem counter-intuitive that Drupal is one of the most secure web platforms out there, but consider the numbers by comparison. Grand Theft Auto 5, one of the best-reviewed video games of the past few years, is known for refinement and a high level of polish. This being said, Grand Theft Auto 5 reportedly has a little over 1,000 people working to produce the game. The Drupal community numbers over 1 million. Granted, a relatively small portion of that number are developers, but those are all people using Drupal in some capacity, reviewing code and functionality, both actively and passively. With a passionate community of that scale, the product can’t help but be solid.


There are over 1,000,000 Drupal Contributors making Drupal increasingly secure.


That’s a big number, but what is the community actually doing to ensure Drupal stays secure?

Glad you asked! Security is a constant concern in the contributor community, and there are multiple initiatives working to be sure Drupal remains the most secure choice for clients that range from the new pizza place down the street to the white house.


Drupal Security Team and Security Working Group

Let’s start with the teams at the heart of the day-to-day implementation: the Drupal Security Team and Security Working Group. The Drupal Security Team handles things like resolving reported security issues, assisting maintainers of contributed modules in securing their code, maintaining guides to help any Drupal developer write more secure code and providing documentation around best practices for securing a Drupal site. In short, the security teams are the boots on the ground working to make sure security releases are pushed out in a responsible and timely manner. The security team is overseen by the Security Working Group, which is a much smaller group of security experts who work tirelessly to ensure Drupal core and the contributed module ecosystem provide best-in-class security.


Drupal Security Advisories

Security updates aren’t effective without a proven way to get the word out about them, which is where the Drupal security advisory policy comes in. When a security update is released for any stable contributed module or release of Drupal core, the security team will issue a public advisory. These advisories contain information about the affected project(s), the severity level of the vulnerability (on a 25-point scale) and how to mitigate the issues presented by the vulnerability. There are multiple channels to access these advisories that range from a newsletter to Twitter to RSS feeds, which all include announcements that are published as soon as a security issue is made public.


Security Advisory Policy

We’ve talked a lot about Drupal core up to this point, but there is also a huge ecosystem of contributed modules. These are not ignored by the security team! On the contrary, any contributed module with a stable release for a current version of Drupal (right now 7.x and 8.x) is covered by the Drupal Security Advisory Policy. This ensures that a secure release of Drupal core won’t be compromised by a contributed module that doesn’t align with the standards put forward by the Drupal Security Team. The best part is it’s really easy to see if a module is covered by the policy - just go to the project page (check out Views for a sample), scroll to the downloads section and look for a green shield.


Password Encryption

Finally, Drupal takes password encryption seriously. Out of the box, by default, user passwords are hashed and salted against a hash salt (think of this as an encryption key) that is unique to the site and generated when the site is initially setup. In laymen’s terms, that means every time a password is saved to Drupal’s database it is encrypted, obscured and lengthened to protect against brute force password attacks before it is saved to the database. Thanks to this encryption, there is no way to directly access any user’s plaintext password in the database, and, because the hash halt is unique to each site, passwords are incredibly difficult to decrypt. In fact, Drupal does such a good job with password encryption, Wordpress took note and now has a plugin to add on similar encryption.


If you just have questions or want to learn more about what Drupal can do for you, don’t hesitate to reach out. We have in-house experts who can walk through Drupal’s top-notch security, as well as a host of other features we haven’t even touched on here.