How Secure is Drupal in 2019?
It hasn’t been a great few years for Drupal: a number of major security issues with Drupal core have surfaced, colourfully named Drupalgeddon 1, 2 and 3. It’s easy to forget—in all the negative coverage—that Drupal is still one of the most secure CMSs on the market, and is favoured by governments all over the world. The age-old Drupal vs WordPress debate has been pretty conclusively won: WordPress is great for small businesses and home bloggers, but if you want to get serious, you get Drupal; the White House runs Drupal, and with good reason. Today we’re going to be looking at how Drupal’s security works, and why it’s still your best pick for a safe CMS.
- Less Breaches Than Any Competing CMS
Part of the reason Drupalgeddon got so much coverage is that Drupal isn’t normally a problem. It currently has 177 known vulnerabilities, compared to 287 for WordPress, and a vast majority of them are fairly minor. This is because third-party plugins are the primary attack vector for a CMS, and Drupal—unlike their competitors—studiously vett their plugins.
- It’s Open Source
Stick with me here—open source often ends up being more secure than closed source. While attackers have access to the code, there are a lot more defenders; there’s a whole community looking out for the software’s defence, not just the team at Drupal HQ. Bugs (particularly bugs with Drupal Core) tends to get noticed much more quickly, which lets Drupal respond much more quickly to issues.
Drupal has a unique community security structure built around their core team, backed up by a small army of contributors and maintainers. Backing that up is the community, who help discover and report bugs, and keep the core CMS at peak performance.
- Modern Password Encryption
All passwords in Drupal are salted, hashed, and stored securely; even if somebody does manage to break in, you can sleep easy knowing your passwords aren’t just being stored in plaintext. Drupal 6/7 use SHA512 with a salt, and Drupal 8 defines its hash method using PasswordInterface. PasswordInterface has the PhpassHashedPassword class, which calls the crypt method via SHA512 as a hashing algo, password, and salt.
Both of these techniques ‘stretch’ your password by salting it then repeatedly hashing it, increasingly the computational cost for the attacker and making the system harder to brute force.
Which is a lot of words to say: your passwords are about as safe as they’re going to get.
But hey, you’re probably thinking that’s all good but I’m still worried. Is there anything I can do?
There sure is! Let’s go through some simple things you can do to make sure your Drupal installation is even more secure.
- Update, update, update.
Look, everybody hates updates. They take up valuable time, and it’s often hard to tell what they’re actually doing. They’re also your #1 weapon against hackers and other malicious parties. The Drupal security are on top of things, but that does not matter if you’re not installing their updates—they’re busy forging armor, but it’s worthless if you refuse to put it on. Even the safest CMS in the world only remains safe if you keep it up to date.
Update Drupal core as soon as you can after a new update drops, and regularly check any modules you’re running for updates. If you navigate to Reports in your Drupal Admin UI, you should find an available updates button that makes this a breeze.
- Choose Your Username Well
A very common form of attack is hackers inputting common usernames and passwords until one of them works. This is what we call a dictionary attack. They tend not to target single machines: they’ll hit as many accounts as possible, and they’re almost guaranteed to find somebody who called their admin account admin and set the password to password123.
Thankfully, dictionary attacks are easy to prevent. Set a non-default username, and use a password manager like LastPass to generate (and store) strong passwords that aren’t guessable.
- Extra for Experts
If you’re techier and really serious about security, skip the Drupal Admin UI/cPanel and use SSH. Drupal is Unix-like under the hood, and should be fairly easy to grok for any of you accustomed to SSH. You’re going to want to start with the usual: set yourself up as a superuser, turn off root access, turn off all unnecessary DNS ports.
- Bring in a Professional
If that last paragraph had you a bit confused, it might be time to bring in a developer. Drupal is a solid system that doesn’t need a pro developer to operate, but a pro developer can take things up to 11. There are plenty of companies out there from where you can hire an on-demand Drupal developer from. It’s not free, but it can be surprisingly affordable if you look in the right places.
Drupal is only the beginning. If you’re a business owner who wants to get serious with their tech, why not read up on how you can improve developer productivity?