On this page:
- Enhancing Drupal security for a safer online experience
- Part 1 — Understanding security: why it matters for your Drupal website
- Part 2 — Drupal and security: capabilities, features and initiatives
- Part 3 — Top 10 ways to improve Drupal security
- Part 4 — The importance of website security and best practices
- Part 5 — Our contribution to improving Drupal security for our clients and the community
- Part 6 — How we can help: our expert services for Drupal security
Enhancing Drupal security for a safer online experience
Drupal is a powerful and versatile open-source content management system (CMS) that offers extensive functionality and customisation possibilities for creating and managing dynamic websites. As more businesses and organisations choose Drupal for their web presence, ensuring the security and privacy of their data and user information has become increasingly important. This 6-part self-help guide series aims to provide you with in-depth knowledge and actionable insights to enhance your Drupal website across the 6 metrics of:
- Security
- Performance
- Accessibility
- Patches
- SEO
- Carbon emissions
Each of the six metrics covered in this series plays a crucial role in ensuring the overall performance, accessibility and user satisfaction of your website. Security is a top priority, as it affects not only your website's reputation but also its legal and financial stability. By understanding the importance of security and implementing the right measures, you can protect your website against various cyber threats and provide a safe experience for your users.
This first self-help guide focuses exclusively on the important security metric. We explore how to protect your Drupal website from potential vulnerabilities and attacks while sticking to global authorities, frameworks and guidelines on website security. By following this comprehensive guide, you’ll gain tools and confidence to maintain a secure and reliable online presence using Drupal.
Go to our top 10 ways to improve Drupal security
Part 1 — Understanding security: why it matters for your Drupal website
Securing your Drupal website is of paramount importance. By understanding the security metric, its significance and the potential consequences of ignoring it, you’ll be better equipped to protect your website and its users from the evolving landscape of cyber threats.
What is website security?
Website refers to the protective measures and practices implemented to safeguard a website and its data from unauthorised access, exploitation and other cyber threats. It includes areas such as the protection of sensitive user , prevention of unauthorised access, and defence against attacks like distributed denial of service , cross-site scripting , and SQL .
Why is website security important?
In today's digital landscape, cyber threats are continually evolving and the consequences of security breaches can be severe. Ensuring your Drupal website's security is crucial to:
Protect user data: Websites often store sensitive information such as user login details, financial information and personal data. Securing this information is a top priority, as a breach can result in severe repercussions for both the users and your organisation.
Maintain credibility and trust: A secure website bolsters your reputation and fosters trust among your users, clients and partners.
Meet legal and regulatory compliance: Adhering to data protection , such as the General Data Protection Regulation and the California Consumer Privacy Act , is a must to avoid hefty fines and legal issues.
Prevent downtime and financial loss: Security breaches can lead to website downtime, loss of revenue and costly recovery processes. According to the IBM Cost of a Data Breach Report : “The global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over 3 years.”
Global authorities and guidelines
Various global authorities and organisations provide guidelines and policies related to website security, including:
(Open Worldwide Application Security Project®): A non-profit organisation that offers a wealth of resources on web application security, including the OWASP Top Ten , which lists the most critical web application security risks.
International Organization for Standardization (ISO) : This global standard outlines best practices for an information security management (ISMS), including risk assessment, security controls and continuous improvement.
PCI (Payment Card Industry Data Security Standard): This global standard outlines security requirements for merchants and service providers that store, process or transmit cardholder data.
(Information Security Registered Assessors Program): This Australian Government program assesses cloud services against the Australian Government Information Security (ISM) and the Protective Security Policy (PSPF).
(General Data Protection Regulation): A European Union regulation that stipulates strict data protection and privacy requirements for organisations handling the data of EU citizens.
(National Institute of Standards and Technology): A US-based agency that provides guidelines and standards on various aspects of cybersecurity, including the NIST Cybersecurity .
(Federal Risk and Authorization Management Program): This US, government-wide program provides a standardised approach to security assessment, authorisation, and continuous monitoring for cloud products and services.
(Health Insurance Portability and Accountability Act): This US law outlines standards for the protection of personally identifiable health and sets guidelines for the use and disclosure of such information.
The positive impact of a secure website
A secure Drupal website reaps numerous benefits, such as:
Enhanced user trust and confidence: Users are more likely to engage with and trust a secure website. According to the PwC’s 2023 Trust : “79% of consumers say protecting their data is very important to building trust.”
Compliance with legal and regulatory requirements: A secure website reduces the risk of fines and penalties.
Improved search engine rankings: Search engines like Google prioritise secure in their search results.
Reduced risk of downtime and financial loss: A secure website is less susceptible to cyber attacks, helping to avoid costly downtime and revenue loss.
The consequences of ignoring security
Ignoring the security of your Drupal website can lead to serious consequences, including:
Loss of sensitive user data: A security breach may result in the exposure of users' personal and financial information.
Damage to reputation: A security breach can tarnish your organisation's credibility and erode users' trust.
Legal and regulatory non-compliance: Failing to secure your website can result in hefty fines and penalties. See some examples of data breach fines, penalties, and in recent years.
Financial loss and downtime: A cyber attack can cause substantial downtime, loss of revenue and high recovery costs. According to this 2019 LinkedIn data breach , "1 in 3 small businesses in the US have experienced an official data breach in 2019" and “10% of small businesses did indeed go out of business in 2019 [due to a data breach]”.
Part 2 — Drupal and security: capabilities, features and initiatives
Drupal offers an array of security capabilities, features and that align with global guidelines and best practices. By understanding Drupal's security offerings and their impact, you can make informed decisions to protect your website and its users from cyber threats.
Drupal's security capabilities and features
Drupal is a robust, open-source CMS that offers built-in features and capabilities that address website security. Some of the key features include:
User authentication and access control: Drupal offers extensive user role and permission management options, enabling you to define granular access control for different user roles on your website. A number of contributed modules focused on user access and are also available.
Password security: Drupal enforces secure password policies, supports password encryption, and offers features like password strength indicators and two-factor authentication .
Input and data validation: Drupal has built-in measures to protect against common security threats like XSS and SQL injection attacks, ensuring that user input and data are thoroughly validated and sanitised.
Regular security updates: The Drupal Security releases frequent security updates and patches to fix any identified vulnerabilities and ensure that your Drupal website stays secure.
Security modules and extensions: Drupal's extensive ecosystem offers a plethora of security-focused modules and to further strengthen your website's security posture.
Aligning with security guidelines and best practices
Drupal's security features and initiatives are designed to align with widely-accepted security guidelines and best practices, such as OWASP Top and NIST Cybersecurity . Drupal's core and contributed modules are developed with a strong focus on security and adherence to industry standards.
Drupal security success stories
Some well-known examples of Drupal websites that have successfully implemented robust security measures include:
- Government of Canada Recalls and Safety (read Drupal case study for Government of )
- United
- Occupational Safety and Health (US)
- University of
- CVS
- Brown
- Government of Canada, Open Government
- Big
- Charles
Lessons from poorly implemented Drupal security
There have been instances where inadequate security measures in Drupal websites have led to or vulnerabilities. These examples serve as valuable lessons on the importance of prioritising security:
The Panama : The leak of 11.5 million confidential documents from a law firm was traced back to vulnerable WordPress and Drupal installations with outdated plugins and modules. This breach highlighted the critical need for regular updates and security patching.
: A critical security vulnerability in Drupal core affected numerous websites, emphasising the importance of promptly applying security updates and following best practices.
Security considerations across Drupal versions
Security features and considerations may differ across Drupal versions (Drupal 7, 9 and 10). It’s essential to be aware of these differences and ensure that your website remains secure as you upgrade or migrate between versions. Drupal's Security Team provides guidance and support for each version, with a strong focus on the most recent releases, which receive priority for updates and patches.
For versions that have reached End-of-Life (EOL), they’re no longer supported by the Drupal Security Team and pose a significant security threat. If you’re using an unsupported version, your site should be upgraded to the latest supported version as soon as possible.
- Drupal 6 — As of 24 February 2016, Drupal 6 reached EOL.
- Drupal 7 — Follow the Security in Drupal documentation. The Drupal 7 is on 5 January 2025.
- Drupal 8 — As of 17 November 2021, Drupal 8 reached EOL.
- Drupal 9 and 10 — Follow the and Security in documentation. Drupal 9 will reach End-of-Life 1 November 2023, so you should upgrade your Drupal 9 sites to Drupal 10 before then.
Part 3 — Top 10 ways to improve Drupal security
The top 10 ways to improve your Drupal security are:
- Secure your infrastructure
- Regular updates and patching
- Strong user authentication and access control
- Input validation and data sanitisation
- Using HTTPS, SSL/TLS certificates and secure headers
- Monitoring and logging
- Security-focused modules and module risk assessment
- Regular security audits and penetration testing
- Secure backups and disaster recovery plan
- Employee training and awareness
1: Secure your infrastructure
What it is: Secure your web infrastructure, including your physical server location and hardware, software operating system and third-party libraries, databases, file system and server access. Also consider creating a static version of your public-facing website (and lock down your editorial domain) to tighten security even further.
Positive impact: Proper infrastructure security is the foundation for all other security measures to reduce the risk of attackers gaining direct access to your servers, databases and files.
Steps to implement:
Note: For managed hosting, many of these security measures should be in place. Check with your hosting provider to understand your role in infrastructure security.
Secure physical servers in a location that can only be accessed by authorised persons
Provide remote access to servers only to those who fully understand, and implement the proper security measures for your server
Audit server access regularly and remove access for people who no longer need it
Update your operating system, third-party libraries and dependencies regularly and apply security patches as needed
Follow best practices for securing your database based on the database software used
Audit database access regularly and remove access for people who no longer need it
Set restrictive file (e.g. 755 for directories, 644 for files) for your Drupal installation
Ensure that the owner and group of your files and directories are set correctly
Avoid using overly permissive file permissions (e.g. 777) for any part of your Drupal installation
Audit file permissions and ownership regularly to detect any discrepancies
Limit administrative access to your Drupal installation to the minimum number of admins
Audit site admin access regularly and remove access for people who no longer need it
Add a Web Application Firewall such as Quant , AWS , CloudFlare or Sucuri to detect and mitigate potentially serious security issues
Optionally, take your infrastructure security to the next level and create a static public-facing version of your site (using or ) and lockdown your backend Drupal admin site using a firewall or basic
Above: Screenshot of Drupal’s file permissions and ownership showing example secure and insecure file permissions.
Above: Screenshot of Quant WAF logs for example Drupal website.
Above: Screenshot of Quant configuration settings for creating static version of a Drupal site.
2: Regular updates and patching
What it is: Regularly updating your Drupal core, modules and themes ensures that your website stays secure by fixing known vulnerabilities and security issues.
Positive impact: Applying updates promptly minimises the risk of attacks or breaches, thereby protecting your website and user data.
Steps to implement:
Perform regular backups of your website in case they are needed for site recovery
Monitor new Drupal available on Drupal.org
Monitor for security updates and from the Drupal Security Team
Monitor your site’s update status for required updates
Set up a local or staging environment for testing updates and patches
Apply updates and patches to your local or staging environment
Thoroughly test your local or staging website after applying updates and patches
Go through the release and test any specific items that might affect your site
Once the updates have been approved, schedule the deployment with your team
Have content editors and unneeded admins stay out of the website during deployment
Make sure you have the right technical support available during and after your deployment
For some Drupal versions, you should manually put the site into maintenance mode
Backup your website right before deploying changes to production
Deploy the updates to your production environment
Test any important pages and features on your production site
For some Drupal versions, you should manually take the site out of maintenance mode
Above: Screenshot of the Available updates report with status for Drupal core.
Above: Screenshot of the Available updates report with status for modules.
Above: Screenshot of the Available updates report with status for themes.
3: Strong user authentication and access control
What it is: Implementing strong user authentication and access control mechanisms ensures that only authorised users have access to sensitive areas of your website.
Positive impact: Robust user authentication and access control reduce the risk of unauthorised access and protect your website's resources and data.
Steps to implement:
Define user roles and for your website
Set up strong password policies, including minimum length and complexity requirements
Set up session limits so users are automatically logged out after a reasonable period
Educate your admin users on safe password usage and handling
Enable two-factor authentication for enhanced account security
Enable login-related security modules such as Login and Password
Limit the number of users with administrative privileges
Regularly review and update user access rights
Remove or block users, especially administrators, who no longer need access to the site
Downgrade roles for users who no longer need admin access to the site
Review your site logs for suspicious 403 (access logging
Above: Screenshot of Drupal’s user list with their roles, status and access information.
Above: Screenshot of Drupal’s roles page.
Above: Screenshot of Drupal’s permissions page.
4: Input validation and data sanitisation
What it is: Input validation and data sanitisation involve verifying and cleaning user input before processing it to protect against security threats like cross-site scripting (XSS) and SQL injection.
Positive impact: Implementing input validation and data sanitisation ensures that your website can handle potentially malicious input without exposing vulnerabilities.
Steps to implement:
For custom Drupal modules, themes and site configuration:
- Use Drupal's built-in input sanitisation functions such as and
- Use Drupal’s built-in database abstraction for database queries to prevent SQL injection
- Validate user input for proper length, type and format
- Understand and follow all Drupal security best practices for custom
- Minimise the number of forms and fields to what is strictly required
- Audit forms and fields regularly and disable or remove what is no longer necessary
- Sanitise user-generated content using Drupal's text
- Audit your text formats regularly to remove unnecessary settings
- Avoid modules and tools that allow JavaScript injection into the site
General considerations:
- Test your website for potential security vulnerabilities using tools like OWASP
- Think like a hacker and try to break your forms using bad input such as SQL and JavaScript
- Be careful when using third-party form services and Google Tag tags
Above: Screenshot showing the use of Html::escape in code.
Above: Screenshot of Drupal’s text formats.
5: Using HTTPS, SSL/TLS certificates and secure headers
What it is: and certificates ensure secure communication between your website and its users, protecting sensitive data during transmission.
Positive impact: Implementing HTTPS and SSL/TLS certificates helps safeguard your website against eavesdropping and attacks, boosting user trust.
Steps to implement:
Either use a managed Drupal hosting service that handles certificates automatically or for self-hosted environments:
- Obtain an SSL/TLS certificate from a trusted certificate authority
- Install and configure the SSL/TLS certificate on your web server
- Check your SSL/TLS certificate and expiry with a tool like SSL
- Update your Drupal configuration to enforce
- Redirect all HTTP requests to HTTPS using rules or server configuration
- Verify that all external resources (e.g. scripts, images) are loaded over HTTPS
- Update your SSL/TLS certificate regularly before it expires
- Run your site through and fix any issues
Above: Screenshot of a Security Headers report for the salsa.digital website.
Above: Screenshot of the SSL Labs report that includes the certificate’s expiration date.
6: Monitoring and logging
What it is: Monitoring and logging involve tracking your website's activities to detect suspicious behaviour, security incidents and performance issues.
Positive impact: Regular monitoring and logging help you proactively identify and address potential security threats before they escalate.
Steps to implement:
- Check with your hosting provider for what logging and monitoring tools are available
- Install Google or similar web service
- Use Google Search , the Link checker or similar tools to assess 404s (page not found) issues
- Enable Drupal's built-in and error reporting features
- Use log analysis tools such as New to analyse logs for suspicious activity
- Set up site a site monitoring such as or
- Monitor performance metrics and server resources to detect potential attacks or breaches
- Set up automated alerts and notifications for critical security events
- Review logs and security reports regularly to identify patterns and trends
Above: Screenshot of Drupal’s recent log messages.
Above: Screenshot of example Drupal New Relic performance from New Relic module .
7: Security-focused modules and module risk assessment
What it is: Drupal's security-focused enhance your website's security by providing additional features and protections. In addition, all Drupal contributed modules have security implications that should be assessed.
Positive impact: Using access control, spam and security-related modules help strengthen your website's security posture, reducing the risk of vulnerabilities and breaches. Regular audits and analysis of all installed modules for potential issues helps you make informed decisions for what modules to keep or remove for increased security.
Steps to implement:
- Research and install reputable access control, spam and security-related modules such as:
- (rank #121) [Drupal 7, 8, 9, 10]
- Automated (rank #167) [Drupal 7, 9, 10]
- (rank #12) [Drupal 7, 8, 9, 10]
- Flood (rank #191) [Drupal 7, 9, 10]
- (rank #512) [Drupal 7, 8, 9] [only install on dev environment for analysis]
- (rank #36) [Drupal 7, 9, 10]
- Login (rank #247) [Drupal 7, 8, 9, 10]
- Password (#123) [Drupal 7, 8, 9, 10]
- Protected (#385) [Drupal 7, 8, 9, 10]
- Security (rank #95) [Drupal 7, 9, 10]
- Secure (rank #631) [Drupal 7, 8, 9, 10]
- Security (rank #275) [Drupal 7, 8, 9, 10]
- Session (rank #450) [Drupal 7, 8, 9, 10]
- SpamSpan (rank #394) [Drupal 7, 8, 9, 10]
- Two-Factor Authentication (rank #597) [Drupal 7, 8, 9, 10]
- Username Enumeration (rank #344) [Drupal 7, 8, 9, 10]
- Audit all installed modules and:
- Ensure they have opted-in to Drupal’s security
- Remove contributed modules that do not have security coverage
- Remove contributed modules that can be replaced by core functionality
- Remove unused contributed modules to reduce risk
- Check modules are actively maintained
- Consider removing poorly maintained modules
- Review features of modules to assess potential security risks
- Remove or heavily restrict modules that may pose high security risks such as allowing JavaScript injection
- Regularly update modules and check configuration
Above: Screenshot of the top 4 Drupal 10 security modules on Drupal.org.
Above: Screenshot of Drupal’s CAPTCHA module settings.
8: Regular security audits and penetration testing
What it is: Security and penetration involve assessing your website's security posture to identify and address vulnerabilities and weaknesses.
Positive impact: Conducting regular security audits and penetration testing helps you proactively address potential threats and improve your website's overall security.
Steps to implement:
- Establish a schedule for regular security audits and penetration tests
- Use reputable tools, such as OWASP or Burp , to conduct vulnerability scans and penetration tests
- Perform manual testing to identify potential weaknesses not detected by automated tools
- Remediate identified vulnerabilities and verify fixes through retesting
- Document the results of security audits and penetration tests to track progress and improvements
Above: Screenshot of example OWASP ZAP Vulnerability from Senik Hakobyan.
9: Secure backups and disaster recovery plan
What it is: Secure and a disaster recovery involve creating regular copies of your website data and having a well-defined process to restore your site in case of a security breach or data loss.
Positive impact: Implementing secure backups and a disaster recovery plan ensures business continuity and minimises downtime in the event of a security incident or data loss.
Steps to implement:
- Check with your hosting provider to understand your backup options
- Set up a schedule for regular backups of your website's files and databases
- Store backups in a secure, off-site location to protect against data loss
- Encrypt backup data to prevent unauthorised access
- Test the recovery process by periodically installing a copy of your website from a backup
- Document your recovery plan and make it accessible to all relevant stakeholders
Above: Screenshot of the Drupal Backup and Migrate destination settings.
10: Employee training and awareness
What it is: Employee training and awareness involves educating your team members on security best practices, potential threats and their responsibilities in maintaining your website's security.
Positive impact: By fostering a security-aware culture, your team can identify and address potential security issues more effectively, reducing the risk of security breaches.
Steps to implement:
- Develop a comprehensive security training program for your employees
- Cover topics such as secure coding , password security and awareness
- Provide regular training updates and refresher courses to keep employees informed of emerging threats and best practices
- Establish clear security policies and guidelines for your team to follow
- Encourage open communication and reporting of potential security issues
Part 4 — The importance of website security and best practices
In today's digital landscape, securing your Drupal website should be a top priority. Ensuring your site's safety not only protects your business and its reputation but also preserves the trust and confidence of your users. By understanding the importance of website security and following best practices, you can minimise the risk of security breaches and maintain a safe online environment for your users.
By prioritising website security and implementing the 10 contributing factors discussed in this guide, you can effectively safeguard your Drupal site. Remember, prevention is always better than cure, and investing in your website's security today can save you from significant headaches and expenses down the line.
Part 5 — Our contribution to improving Drupal security for our clients and the community
In this section, we share our own experiences and case studies on how we've contributed to Drupal security for our clients and the Drupal community. We've divided this section into three subsections to provide an easy-to-follow structure and to highlight our expertise in each area:
- Implementing best practices for clients
- Sharing our knowledge with the community
- Drupal360.io: our audit tool with emphasis on security
1. Implementing best practices for clients
In our work with clients, we've focused on implementing Drupal security best practices, as discussed in this guide. We work closely with government agencies, building highly secure platforms and websites. For example, Salsa and GovCMS worked together to get IRAP certification for the GovCMS program (read the GovCMS IRAP certification case study). We also secured authority to operate for another large portal (read the case study on a federal agency securing authority to operate). In addition, many Salsarians have baseline clearance so they can work on highly secure government projects.
By helping clients with updating their Drupal installations, ensuring secure backups, and other essential security best practices, we've helped businesses maintain a strong online presence while protecting their customers' data.
We believe in giving back to the Drupal community by sharing our knowledge and expertise on security best practices. We regularly participate in Drupal events, contribute to forums, and write blog posts on various security topics. Some of our blogs on security are:
- Drupal defense in depth — a Drupal security protection framework
- Australian Protective Security Framework
- Cloud security in Victorian government
- Web applications security #1
- Security at every level
- Australia’s ‘Essential Eight’ for cyber security
- DTA Secure Cloud Strategy — cyber security update
- Managing the security risk of running Drupal 7 after End-of-Life
We also have a dedicated Chief Information Security Officer (CISO) who focuses on security for Salsa, our platforms and our clients.
Salsa is also an official supporting partner of Drupal Steward, a fully managed web application firewall service that significantly reduces the risk between the time security vulnerabilities are discovered and the time websites are patched. This additional website security is especially important for Salsa’s many government clients.
Our team members also regularly contribute to Drupal's core development and security-related modules, helping to make the platform more secure for all users.
3. Drupal360.io: our audit tool with an emphasis on security
As part of our commitment to Drupal security, we're currently developing an audit tool, Drupal360.io, for site owners to assess their website's security and other crucial metrics. This tool will help users identify potential vulnerabilities and offers actionable insights for making informed decisions on improvements. While the tool covers all essential metrics, we've placed particular emphasis on security, ensuring a comprehensive assessment of your Drupal site's safety.
By sharing our experiences and expertise, we hope to inspire and motivate others in the Drupal community to prioritise security. Through our hands-on work with clients, knowledge sharing and the development of Drupal360.io, our free audit tool, we strive to make a positive impact on the security landscape of Drupal sites worldwide.
Part 6 — How we can help: our expert services for Drupal security
As a dedicated Drupal agency, we offer a range of Drupal security services to help clients improve their website's security. We've broken down our services into 5 main categories, each tailored to address specific security concerns and help you maintain a safe and secure Drupal website:
1. Salsa Support
Salsa Enterprise Drupal Support can be used to draft a security fixes and improvements plan and create a backlog for action.
2. Security audits
Salsa's Drupal security audits involve comprehensively evaluating your Drupal website's security measures and identifying potential vulnerabilities.
3. Security patching
Salsa's SLA-backed patching and maintenance services can be used to ensure security patches are applied immediately after they’re released to keep your site secure.
4. Salsa Hosting
Salsa's Drupal enterprise hosting platform offers several security protections as standard, including distributed denial-of-service (DDOS) protection, a Web Application Firewall (WAF), multi-factor authentication and intrusion detection and remediation.
5. General cybersecurity services
Salsa's Drupal cybersecurity services offer several layers of protection for customers on Drupal. Related services include:
- Rehosting onto our secure hosting platform
- Locked-down controls at origin
- WAF with enterprise security controls
- Intrusion detection and remediation
Our comprehensive services for Drupal security, from audits and assessments to custom solutions and ongoing maintenance, ensure that your Drupal site remains safe, secure and compliant with industry standards. With our expert support, you can focus on growing your business while we handle your site's security needs.