Is Drupal’s open source platform secure?
When deciding on the best CMS to meet your organization’s digital vision, security is often one of the top concerns.
Here’s the reality. ALL software (closed source, open source, or custom-developed) has the potential for security vulnerabilities. Web security is a fast and ever-changing world. What passes today as secure code may not stay the same tomorrow when new vulnerabilities surface.
There's peace of mind in knowing not only is Drupal a proven, secure CMS but that it's also in an active state of safeguarding against attacks.
With proper planning, maintenance, and updating, open source software, like Drupal, can meet and even exceed the security standards of closed source.
- Mediacurrent’s Mark Shropshire, Senior Director of Development, quoted in an excerpt from Setting the Record Straight on Drupal Myths: Acquia eBook
Security and The Drupal Community
Open source software, like Drupal, has the bonus of having thousands of experts work on a particular problem. With entire teams and methodology devoted to ensuring its steadfast reputation as a secure CMS, it's comforting to know modules and code procured from the official Drupal site are as secure as possible.
Using Drupal means you never have to face these risks alone, let alone attempt to correct the problem by yourself. There's power in numbers when it comes to both discovering and fixing potential software flaws, and the Drupal community has those numbers.
Dedicated Security Team
The Drupal project has an approximately 32-person security team with a track record of professionally handling security advisories.
Community Code Review
One of the largest developer communities in the world, Drupal.org clocked 100,000 contributors and 1.3 million users at the time of Drupal 9’s release. Having many eyes on the source code ensures more issues are discovered and resolved.
Rapid Response Time
Defined processes around reporting and resolving security issues accelerate the response time to fix vulnerabilities and release patches.
Core API tools and techniques address common security risks. Community projects such as the Guardr distribution help educate the community on best practices around Drupal security.
The Guardr distribution was created to enhance a Drupal application's security and availability to meet enterprise security requirements.
Proven High Standards
Drupal Security Throughout the Website Process
The Drupal community has built-in security measures to combat threats — reassuring for sure. To proactively protect your site, the concept of security needs to be at top of mind when campaigns are being launched, systems/applications are being integrated, or when software is deployed or updated.
A security-first approach means going beyond compliance to better assess risk. There are two paths to achieve this approach:
1) Culture: Adopting a security mindset culture for your organization.
2) Automation: Taking on a continuous development plan that’s rooted in process automation.
In other words, start planning for security early and often throughout the website development process.
Don’t wait until the project is about to launch to think about security! Explore our Guide to Open Source Security eBook for tips and processes to consider when putting together a security-first maintenance plan for your website and marketing tech stack.
Developer Best Practices
Here are three ways to safeguard your Drupal site:
1. Choose the Right Modules
If you can dream up a feature for your site, chances are it can be found in the tens of thousands of community-contributed modules available for Drupal. With so many different options to pick from, how do you choose the most secure modules possible? Some steps to take are checking for how many sites are using the module, reviewing the issue queues, and avoiding deprecated or unsupported modules.
Find more criteria for module decision-making in our guide to Drupal module evaluation.
2. Use Drupal APIs
Look to Drupal APIs documentation to secure your contrib or custom code on a project. Drupal APIs have been nurtured by the community and have built-in protections for database security. If you do write new code, whether it’s a small amount or a completely new module, the “Writing Secure Code for Drupal” guide is a must-read reference.
3. Monitor Drupal Security Advisories
The Drupal security team posts weekly security advisories to Drupal.org.
To keep up with security releases, you can sign to receive email notifications through your drupal.org profile options, follow the RSS feed in your news reader (core, contrib, public service announcements), follow @drupalsecurity on Twitter, or join the Drupal Slack #security-questions
Sleep Better With a Secure Drupal Site
For more best practices, check out the Mediacurrent presentation Sleep Better with a Secure Drupal Site:
Are you ready to build a strong foundation for Drupal security but unsure where to start? There's a lot to consider in your security plan but it doesn't have to keep you up at night. Contact the Mediacurrent Security team for support.