Protecting Your Website: What You Need to Know About Drupal Security
Published on 18 June 18
Natasha0
Drupal is used by 2.1% of all the websites in the world, and with
With an active and committed developer community, constant updates, and a wide variety of available modules, Drupal is a versatile platform suitable for everything from personal blogs to
Even though Drupal is not the platform with the highest number of reported security issues or breaches, because of the recent exploit involving a remote code execution vulnerability, lovingly dubbed Drupalgeddon 2 (following the first one from 2014), this CMS is currently under additional scrutiny.
If you are running a business of any kind and use a Drupal based website for interactions with customers, as an online marketplace, to store or process sensitive personal data on it, or basically, to do just about anything more serious than posting an article every once in a while, you might stand to lose quite a bit if your site is compromised. Here’s how to prevent that from happening.
2
Constant Updates
Despite Drupal 8.x being around for years now, its 7.x iterations are still four times as popular as the latest version. If you think that just ensuring that you have the latest update for your version in enough to stay relatively safe, think again. A number of older branches are no longer supported, and some are only getting updates in cases of major vulnerabilities.
That’s why if you still prefer 7.x you should update it to 7.58, or, probably as the best recourse, go straight to 8.5.1. While there are auto-update options or modules you could rely on, make it a point to periodically check up on everything manually, and ensure you are up to date.
Modules
Modules need to be updated too. It doesn't matter if all of them are coming from top Drupal website design companies and how reliable they usually are, you need to keep checking their compatibility with your current Drupal deployment and other elements of your website.
However, it’s not only out of date modules that you should pay attention to, it’s all of them. Depending on what they do, what permissions they have, and how they are implemented, modules can provide intruders with an entry point, or a so-called, back-door. That’s why you should never use more modules than you absolutely need, and then ensure that their security standards are satisfactory.
Despite them being a potential risk, modules can also do a lot to protect your site from different types of intrusion - from preventing spam by serving visitors with a captcha, to giving you an option to use multi-verification login forms. Drupal’s module repository is a great place to start looking for suitable modules, but there are decent ones available outside of it as well.
Segmentation
They can’t steal what they can’t find, right? Depending on the type, amount and purpose of sensitive data you handle, you might want to consider additionally limiting access to it.
With the General Data Protection Regulation in full force, you might easily be held responsible for failure to protect someone's personal data. In order to prevent this, a lot of webmasters turn to data pseudonymization. This is basically stripping the data of personal identifiers, and keeping the key needed to retrieve them separately from the data itself. This way, even if your security measures fail, the damage is minimized.
Apart from data segmentation, you should also seriously consider segmenting the user access privileges that your employees have. Even if you have complete trust in their intentions and capabilities, every employee, as well as outside contractors or consultants should only be given exactly as much access and authority as they need, not an ounce more.
This not only prevents
1
Backup Everything
While planning for the worst case scenario doesn’t seem like the most proactive way to approach the problem, it is one of the most essential steps you need to take. Naturally, you need to ensure that your backup methods don’t create new vulnerabilities, so be careful how and where you keep your backups.
Summary
Despite the recent buzz around a major exploit, Drupal is, on average, just as secure as other CMS platforms. However, just like with other content management systems, you need to stay on your toes when it comes to following security best practices. Among other things, this includes regular updates of your Drupal deployment and individual modules; limiting user authorization;
segmenting the data you store; and keeping backups, if everything else fails. Aside from this, make sure to occasionally check out the security page on Drupal.org to see if new vulnerabilities have been discovered, and you shouldn't have too much trouble.
This blog is listed under
Open Source
, Development & Implementations
and IT Security & Architecture
Community
Related Posts:
Post a Comment
