Drupal security — a complete Drupal self-help guide to ensuring your website’s security

Enhancing Drupal security for a safer online experience

Drupal is a powerful and versatile open-source content management system (CMS) that offers extensive functionality and customisation possibilities for creating and managing dynamic websites. As more businesses and organisations choose Drupal for their web presence, ensuring the security and privacy of their data and user information has become increasingly important. This 6-part self-help guide series aims to provide you with in-depth knowledge and actionable insights to enhance your Drupal website across the 6 metrics of:

1. Security
2. Performance
3. Accessibility
4. Patches
5. SEO
6. Carbon emissions

Each of the six metrics covered in this series plays a crucial role in ensuring the overall performance, accessibility and user satisfaction of your website. Security is a top priority, as it affects not only your website's reputation but also its legal and financial stability. By understanding the importance of security and implementing the right measures, you can protect your website against various cyber threats and provide a safe experience for your users.

This first self-help guide focuses exclusively on the important security metric. We explore how to protect your Drupal website from potential vulnerabilities and attacks while sticking to global authorities, frameworks and guidelines on website security. By following this comprehensive guide, you’ll gain tools and confidence to maintain a secure and reliable online presence using Drupal.

Go to our top 10 ways to improve Drupal security

Part 1 — Understanding security: why it matters for your Drupal website

Securing your Drupal website is of paramount importance. By understanding the security metric, its significance and the potential consequences of ignoring it, you’ll be better equipped to protect your website and its users from the evolving landscape of cyber threats.

What is website security?

Website security refers to the protective measures and practices implemented to safeguard a website and its data from unauthorised access, exploitation and other cyber threats. It includes areas such as the protection of sensitive user information, prevention of unauthorised access, and defence against attacks like distributed denial of service (DDoS), cross-site scripting (XSS), and SQL injection.

Why is website security important?

In today's digital landscape, cyber threats are continually evolving and the consequences of security breaches can be severe. Ensuring your Drupal website's security is crucial to:

1. Protect user data: Websites often store sensitive information such as user login details, financial information and personal data. Securing this information is a top priority, as a breach can result in severe repercussions for both the users and your organisation.

2. Maintain credibility and trust: A secure website bolsters your reputation and fosters trust among your users, clients and partners.

3. Meet legal and regulatory compliance: Adhering to data protection regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), is a must to avoid hefty fines and legal issues.

4. Prevent downtime and financial loss: Security breaches can lead to website downtime, loss of revenue and costly recovery processes. According to the IBM Cost of a Data Breach Report 2023: “The global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over 3 years.”

Global authorities and guidelines

Various global authorities and organisations provide guidelines and policies related to website security, including:

1. OWASP (Open Worldwide Application Security Project®): A non-profit organisation that offers a wealth of resources on web application security, including the OWASP Top Ten Project, which lists the most critical web application security risks.

2. International Organization for Standardization (ISO) 27001: This global standard outlines best practices for an information security management system (ISMS), including risk assessment, security controls and continuous improvement.

3. PCI DSS (Payment Card Industry Data Security Standard): This global standard outlines security requirements for merchants and service providers that store, process or transmit cardholder data.

4. IRAP (Information Security Registered Assessors Program): This Australian Government program assesses cloud services against the Australian Government Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF).

5. GDPR (General Data Protection Regulation): A European Union regulation that stipulates strict data protection and privacy requirements for organisations handling the data of EU citizens.

6. NIST (National Institute of Standards and Technology): A US-based agency that provides guidelines and standards on various aspects of cybersecurity, including the NIST Cybersecurity Framework.

7. FedRAMP (Federal Risk and Authorization Management Program): This US, government-wide program provides a standardised approach to security assessment, authorisation, and continuous monitoring for cloud products and services.

8. HIPAA (Health Insurance Portability and Accountability Act): This US law outlines standards for the protection of personally identifiable health information and sets guidelines for the use and disclosure of such information.

The positive impact of a secure website

A secure Drupal website reaps numerous benefits, such as:

1. Enhanced user trust and confidence: Users are more likely to engage with and trust a secure website. According to the PwC’s 2023 Trust Survey: “79% of consumers say protecting their data is very important to building trust.”

2. Compliance with legal and regulatory requirements: A secure website reduces the risk of fines and penalties.

3. Improved search engine rankings: Search engines like Google prioritise secure websites in their search results.

4. Reduced risk of downtime and financial loss: A secure website is less susceptible to cyber attacks, helping to avoid costly downtime and revenue loss.

The consequences of ignoring security

Ignoring the security of your Drupal website can lead to serious consequences, including:

1. Loss of sensitive user data: A security breach may result in the exposure of users' personal and financial information.

2. Damage to reputation: A security breach can tarnish your organisation's credibility and erode users' trust.

3. Legal and regulatory non-compliance: Failing to secure your website can result in hefty fines and penalties. See some examples of data breach fines, penalties, and settlements in recent years.

4. Financial loss and downtime: A cyber attack can cause substantial downtime, loss of revenue and high recovery costs. According to this 2019 LinkedIn data breach article, "1 in 3 small businesses in the US have experienced an official data breach in 2019" and “10% of small businesses did indeed go out of business in 2019 [due to a data breach]”.

Part 2 — Drupal and security: capabilities, features and initiatives

Drupal offers an array of security capabilities, features and initiatives that align with global guidelines and best practices. By understanding Drupal's security offerings and their impact, you can make informed decisions to protect your website and its users from cyber threats.

Drupal's security capabilities and features

Drupal is a robust, open-source CMS that offers built-in features and capabilities that address website security. Some of the key features include:

1. User authentication and access control: Drupal offers extensive user role and permission management options, enabling you to define granular access control for different user roles on your website. A number of contributed modules focused on user access and authentication are also available.

2. Password security: Drupal enforces secure password policies, supports password encryption, and offers features like password strength indicators and two-factor authentication (TFA).

3. Input and data validation: Drupal has built-in measures to protect against common security threats like XSS and SQL injection attacks, ensuring that user input and data are thoroughly validated and sanitised.

4. Regular security updates: The Drupal Security Team releases frequent security updates and patches to fix any identified vulnerabilities and ensure that your Drupal website stays secure.

5. Security modules and extensions: Drupal's extensive ecosystem offers a plethora of security-focused modules and extensions to further strengthen your website's security posture.

Aligning with security guidelines and best practices

Drupal's security features and initiatives are designed to align with widely-accepted security guidelines and best practices, such as OWASP Top Ten and NIST Cybersecurity Framework. Drupal's core and contributed modules are developed with a strong focus on security and adherence to industry standards.

Drupal security success stories

Some well-known examples of Drupal websites that have successfully implemented robust security measures include:

1. Government of Canada Recalls and Safety Alerts (read Drupal case study for Government of Canada)
2. United Nations
3. london.gov.uk
4. Paychex
5. Occupational Safety and Health Administration (US)
6. University of Oxford
7. CVS Health
8. Brown University
9. Government of Canada, Open Government site
10. Big Commerce
11. Nespresso
12. Pfizer
13. Charles Schwab

Lessons from poorly implemented Drupal security

There have been instances where inadequate security measures in Drupal websites have led to breaches or vulnerabilities. These examples serve as valuable lessons on the importance of prioritising security:

1. The Panama Papers: The leak of 11.5 million confidential documents from a law firm was traced back to vulnerable WordPress and Drupal installations with outdated plugins and modules. This breach highlighted the critical need for regular updates and security patching.

2. Drupalgeddon: A critical security vulnerability in Drupal core affected numerous websites, emphasising the importance of promptly applying security updates and following best practices.

Security considerations across Drupal versions

Security features and considerations may differ across Drupal versions (Drupal 7, 9 and 10). It’s essential to be aware of these differences and ensure that your website remains secure as you upgrade or migrate between versions. Drupal's Security Team provides guidance and support for each version, with a strong focus on the most recent releases, which receive priority for updates and patches.

For versions that have reached End-of-Life (EOL), they’re no longer supported by the Drupal Security Team and pose a significant security threat. If you’re using an unsupported version, your site should be upgraded to the latest supported version as soon as possible.

• Drupal 6 — As of 24 February 2016, Drupal 6 reached EOL.
• Drupal 7 — Follow the Security in Drupal 7 documentation. The Drupal 7 EOL is on 5 January 2025.
• Drupal 8 — As of 17 November 2021, Drupal 8 reached EOL.
• Drupal 9 and 10 — Follow the Security and Security in Drupal documentation. Drupal 9 will reach End-of-Life 1 November 2023, so you should upgrade your Drupal 9 sites to Drupal 10 before then.

Part 3 — Top 10 ways to improve Drupal security

The top 10 ways to improve your Drupal security are:

1. Secure your infrastructure
2. Regular updates and patching
3. Strong user authentication and access control
4. Input validation and data sanitisation
5. Using HTTPS, SSL/TLS certificates and secure headers
6. Monitoring and logging
7. Security-focused modules and module risk assessment
8. Regular security audits and penetration testing
9. Secure backups and disaster recovery plan
10. Employee training and awareness

1: Secure your infrastructure

What it is: Secure your web infrastructure, including your physical server location and hardware, software operating system and third-party libraries, databases, file system and server access. Also consider creating a static version of your public-facing website (and lock down your editorial domain) to tighten security even further.

Positive impact: Proper infrastructure security is the foundation for all other security measures to reduce the risk of attackers gaining direct access to your servers, databases and files.

Steps to implement:

Note: For managed hosting, many of these security measures should be in place. Check with your hosting provider to understand your role in infrastructure security.

1. Secure physical servers in a location that can only be accessed by authorised persons

2. Provide remote access to servers only to those who fully understand, and implement the proper security measures for your server

3. Audit server access regularly and remove access for people who no longer need it

4. Update your operating system, third-party libraries and dependencies regularly and apply security patches as needed

5. Follow best practices for securing your database based on the database software used

6. Audit database access regularly and remove access for people who no longer need it

7. Set restrictive file permissions (e.g. 755 for directories, 644 for files) for your Drupal installation

8. Ensure that the owner and group of your files and directories are set correctly

9. Avoid using overly permissive file permissions (e.g. 777) for any part of your Drupal installation

10. Audit file permissions and ownership regularly to detect any discrepancies

11. Limit administrative access to your Drupal installation to the minimum number of admins

12. Audit site admin access regularly and remove access for people who no longer need it

13. Add a Web Application Firewall (WAF) such as Quant WAF, AWS WAF, CloudFlare WAF or Sucuri WAF to detect and mitigate potentially serious security issues

14. Optionally, take your infrastructure security to the next level and create a static public-facing version of your site (using Quant or Tome) and lockdown your backend Drupal admin site using a firewall or basic authentication

Above: Screenshot of Drupal’s file permissions and ownership documentation showing example secure and insecure file permissions.

Above: Screenshot of Quant WAF logs for example Drupal website.

Above: Screenshot of Quant module configuration settings for creating static version of a Drupal site.

2: Regular updates and patching

What it is: Regularly updating your Drupal core, modules and themes ensures that your website stays secure by fixing known vulnerabilities and security issues.

Positive impact: Applying updates promptly minimises the risk of attacks or breaches, thereby protecting your website and user data.

Steps to implement:

1. Perform regular backups of your website in case they are needed for site recovery

2. Monitor new Drupal releases available on Drupal.org

3. Monitor for security updates and announcements from the Drupal Security Team

4. Monitor your site’s update status report for required updates

5. Set up a local or staging environment for testing updates and patches

6. Apply updates and patches to your local or staging environment

7. Thoroughly test your local or staging website after applying updates and patches

8. Go through the release notes and test any specific items that might affect your site

9. Once the updates have been approved, schedule the deployment with your team

10. Have content editors and unneeded admins stay out of the website during deployment

11. Make sure you have the right technical support available during and after your deployment

12. For some Drupal versions, you should manually put the site into maintenance mode

13. Backup your website right before deploying changes to production

14. Deploy the updates to your production environment

15. Test any important pages and features on your production site

16. For some Drupal versions, you should manually take the site out of maintenance mode

Above: Screenshot of the Available updates report with status for Drupal core.

Above: Screenshot of the Available updates report with status for modules.

Above: Screenshot of the Available updates report with status for themes.

3: Strong user authentication and access control

What it is: Implementing strong user authentication and access control mechanisms ensures that only authorised users have access to sensitive areas of your website.

Positive impact: Robust user authentication and access control reduce the risk of unauthorised access and protect your website's resources and data.

Steps to implement:

1. Define user roles and permissions for your website

2. Set up strong password policies, including minimum length and complexity requirements

3. Set up session limits so users are automatically logged out after a reasonable period

4. Educate your admin users on safe password usage and handling

5. Enable two-factor authentication (2FA) for enhanced account security

6. Enable login-related security modules such as Login Security and Password Policy

7. Enable spam-related security modules such as Captcha

8. Limit the number of users with administrative privileges

9. Regularly review and update user access rights

10. Remove or block users, especially administrators, who no longer need access to the site

11. Downgrade roles for users who no longer need admin access to the site

12. Review your site logs for suspicious 403 (access denied) logging

Above: Screenshot of Drupal’s user list with their roles, status and access information.

Above: Screenshot of Drupal’s roles page.

Above: Screenshot of Drupal’s permissions page.

4: Input validation and data sanitisation

What it is: Input validation and data sanitisation involve verifying and cleaning user input before processing it to protect against security threats like cross-site scripting (XSS) and SQL injection.

Positive impact: Implementing input validation and data sanitisation ensures that your website can handle potentially malicious input without exposing vulnerabilities.

Steps to implement:

For custom Drupal modules, themes and site configuration:

1. Use Drupal's built-in input sanitisation functions such as Xss::filter() and Html::escape()
2. Use Drupal’s built-in database abstraction layer for database queries to prevent SQL injection
3. Validate user input for proper length, type and format
4. Understand and follow all Drupal security best practices for custom code
5. Minimise the number of forms and fields to what is strictly required
6. Audit forms and fields regularly and disable or remove what is no longer necessary
7. Sanitise user-generated content using Drupal's text formats
8. Audit your text formats regularly to remove unnecessary settings
9. Avoid modules and tools that allow JavaScript injection into the site

General considerations:

10. Test your website for potential security vulnerabilities using tools like OWASP ZAP
11. Think like a hacker and try to break your forms using bad input such as SQL and JavaScript
12. Be careful when using third-party form services and Google Tag Manager tags

Above: Screenshot showing the use of Html::escape in code.

Above: Screenshot of Drupal’s text formats.

5: Using HTTPS, SSL/TLS certificates and secure headers

What it is: HTTPS and SSL/TLS certificates ensure secure communication between your website and its users, protecting sensitive data during transmission.

Positive impact: Implementing HTTPS and SSL/TLS certificates helps safeguard your website against eavesdropping and person-in-the-middle attacks, boosting user trust.

Steps to implement:

Either use a managed Drupal hosting service that handles certificates automatically or for self-hosted environments:

1. Obtain an SSL/TLS certificate from a trusted certificate authority (CA)
2. Install and configure the SSL/TLS certificate on your web server
3. Check your SSL/TLS certificate and expiry with a tool like SSL Labs
4. Update your Drupal configuration to enforce HTTPS
5. Redirect all HTTP requests to HTTPS using .htaccess rules or server configuration
6. Verify that all external resources (e.g. scripts, images) are loaded over HTTPS
7. Update your SSL/TLS certificate regularly before it expires
8. Run your site through securityheaders.com and fix any issues

Above: Screenshot of a Security Headers report for the salsa.digital website.

Above: Screenshot of the SSL Labs report that includes the certificate’s expiration date.

6: Monitoring and logging

What it is: Monitoring and logging involve tracking your website's activities to detect suspicious behaviour, security incidents and performance issues.

Positive impact: Regular monitoring and logging help you proactively identify and address potential security threats before they escalate.

Steps to implement:

1. Check with your hosting provider for what logging and monitoring tools are available
2. Install Google Analytics or similar web analytics service
3. Use Google Search Console, the Link checker module or similar tools to assess 404s (page not found) issues
4. Enable Drupal's built-in logging and error reporting features
5. Use log analysis tools such as New Relic to analyse logs for suspicious activity
6. Set up site a site monitoring service such as Pingdom or UptimeRobot
7. Monitor performance metrics and server resources to detect potential attacks or breaches
8. Set up automated alerts and notifications for critical security events
9. Review logs and security reports regularly to identify patterns and trends

Above: Screenshot of Drupal’s recent log messages.

Above: Screenshot of example Drupal New Relic performance from New Relic module page.

7: Security-focused modules and module risk assessment

What it is: Drupal's security-focused modules enhance your website's security by providing additional features and protections. In addition, all Drupal contributed modules have security implications that should be assessed.

Positive impact: Using access control, spam and security-related modules help strengthen your website's security posture, reducing the risk of vulnerabilities and breaches. Regular audits and analysis of all installed modules for potential issues helps you make informed decisions for what modules to keep or remove for increased security.

Steps to implement:

1. Research and install reputable access control, spam and security-related modules such as:
   1. Antibot (rank #121) [Drupal 7, 8, 9, 10]
   2. Automated Logout (rank #167) [Drupal 7, 9, 10]
   3. Captcha (rank #12) [Drupal 7, 8, 9, 10]
   4. Flood control (rank #191) [Drupal 7, 9, 10]
   5. Hacked! (rank #512) [Drupal 7, 8, 9] [only install on dev environment for analysis]
   6. Honeypot (rank #36) [Drupal 7, 9, 10]
   7. Login Security (rank #247) [Drupal 7, 8, 9, 10]
   8. Password Policy (#123) [Drupal 7, 8, 9, 10]
   9. Protected Pages (#385) [Drupal 7, 8, 9, 10]
   10. Security Kit (rank #95) [Drupal 7, 9, 10]
   11. Secure Login (rank #631) [Drupal 7, 8, 9, 10]
   12. Security Review (rank #275) [Drupal 7, 8, 9, 10]
   13. Session Limit (rank #450) [Drupal 7, 8, 9, 10]
   14. SpamSpan filter (rank #394) [Drupal 7, 8, 9, 10]
   15. Two-Factor Authentication (TFA) (rank #597) [Drupal 7, 8, 9, 10]
   16. Username Enumeration Prevention (rank #344) [Drupal 7, 8, 9, 10]
2. Audit all installed modules and:
   1. Ensure they have opted-in to Drupal’s security coverage
   2. Remove contributed modules that do not have security coverage
   3. Remove contributed modules that can be replaced by core functionality
   4. Remove unused contributed modules to reduce risk
   5. Check modules are actively maintained
   6. Consider removing poorly maintained modules
   7. Review features of modules to assess potential security risks
   8. Remove or heavily restrict modules that may pose high security risks such as allowing JavaScript injection
   9. Regularly update modules and check configuration

Above: Screenshot of the top 4 Drupal 10 security modules on Drupal.org.

Above: Screenshot of Drupal’s CAPTCHA module settings.

8: Regular security audits and penetration testing

What it is: Security audits and penetration testing involve assessing your website's security posture to identify and address vulnerabilities and weaknesses.

Positive impact: Conducting regular security audits and penetration testing helps you proactively address potential threats and improve your website's overall security.

Steps to implement:

1. Establish a schedule for regular security audits and penetration tests
2. Use reputable tools, such as OWASP ZAP or Burp Suite, to conduct vulnerability scans and penetration tests
3. Perform manual testing to identify potential weaknesses not detected by automated tools
4. Remediate identified vulnerabilities and verify fixes through retesting
5. Document the results of security audits and penetration tests to track progress and improvements

Above: Screenshot of example OWASP ZAP Vulnerability Report from Senik Hakobyan.

9: Secure backups and disaster recovery plan

What it is: Secure backups and a disaster recovery plan involve creating regular copies of your website data and having a well-defined process to restore your site in case of a security breach or data loss.

Positive impact: Implementing secure backups and a disaster recovery plan ensures business continuity and minimises downtime in the event of a security incident or data loss.

Steps to implement:

1. Check with your hosting provider to understand your backup options
2. Set up a schedule for regular backups of your website's files and databases
3. Store backups in a secure, off-site location to protect against data loss
4. Encrypt backup data to prevent unauthorised access
5. Test the recovery process by periodically installing a copy of your website from a backup
6. Document your recovery plan and make it accessible to all relevant stakeholders

Above: Screenshot of the Drupal Backup and Migrate module’s destination settings.

10: Employee training and awareness

What it is: Employee training and awareness involves educating your team members on security best practices, potential threats and their responsibilities in maintaining your website's security.

Positive impact: By fostering a security-aware culture, your team can identify and address potential security issues more effectively, reducing the risk of security breaches.

Steps to implement:

1. Develop a comprehensive security training program for your employees
2. Cover topics such as secure coding practices, password security and phishing awareness
3. Provide regular training updates and refresher courses to keep employees informed of emerging threats and best practices
4. Establish clear security policies and guidelines for your team to follow
5. Encourage open communication and reporting of potential security issues

Part 4 — The importance of website security and best practices

In today's digital landscape, securing your Drupal website should be a top priority. Ensuring your site's safety not only protects your business and its reputation but also preserves the trust and confidence of your users. By understanding the importance of website security and following best practices, you can minimise the risk of security breaches and maintain a safe online environment for your users.

By prioritising website security and implementing the 10 contributing factors discussed in this guide, you can effectively safeguard your Drupal site. Remember, prevention is always better than cure, and investing in your website's security today can save you from significant headaches and expenses down the line.

Part 5 — Our contribution to improving Drupal security for our clients and the community

In this section, we share our own experiences and case studies on how we've contributed to Drupal security for our clients and the Drupal community. We've divided this section into three subsections to provide an easy-to-follow structure and to highlight our expertise in each area:

1. Implementing best practices for clients
2. Sharing our knowledge with the community
3. Drupal360.io: our audit tool with emphasis on security

1. Implementing best practices for clients

In our work with clients, we've focused on implementing Drupal security best practices, as discussed in this guide. We work closely with government agencies, building highly secure platforms and websites. For example, Salsa and GovCMS worked together to get IRAP certification for the GovCMS program (read the GovCMS IRAP certification case study). We also secured authority to operate for another large portal (read the case study on a federal agency securing authority to operate). In addition, many Salsarians have baseline clearance so they can work on highly secure government projects.

By helping clients with updating their Drupal installations, ensuring secure backups, and other essential security best practices, we've helped businesses maintain a strong online presence while protecting their customers' data.

2. Sharing our knowledge with the community

We believe in giving back to the Drupal community by sharing our knowledge and expertise on security best practices. We regularly participate in Drupal events, contribute to forums, and write blog posts on various security topics. Some of our blogs on security are:

• Drupal defense in depth — a Drupal security protection framework
• Australian Protective Security Framework
• Cloud security in Victorian government
• Web applications security #1
• Security at every level
• Australia’s ‘Essential Eight’ for cyber security
• DTA Secure Cloud Strategy — cyber security update
• Managing the security risk of running Drupal 7 after End-of-Life

We also have a dedicated Chief Information Security Officer (CISO) who focuses on security for Salsa, our platforms and our clients.

Salsa is also an official supporting partner of Drupal Steward, a fully managed web application firewall service that significantly reduces the risk between the time security vulnerabilities are discovered and the time websites are patched. This additional website security is especially important for Salsa’s many government clients.

Our team members also regularly contribute to Drupal's core development and security-related modules, helping to make the platform more secure for all users.

3. Drupal360.io: our audit tool with an emphasis on security

As part of our commitment to Drupal security, we're currently developing an audit tool, Drupal360.io, for site owners to assess their website's security and other crucial metrics. This tool will help users identify potential vulnerabilities and offers actionable insights for making informed decisions on improvements. While the tool covers all essential metrics, we've placed particular emphasis on security, ensuring a comprehensive assessment of your Drupal site's safety.

By sharing our experiences and expertise, we hope to inspire and motivate others in the Drupal community to prioritise security. Through our hands-on work with clients, knowledge sharing and the development of Drupal360.io, our free audit tool, we strive to make a positive impact on the security landscape of Drupal sites worldwide.

Part 6 — How we can help: our expert services for Drupal security

As a dedicated Drupal agency, we offer a range of Drupal security services to help clients improve their website's security. We've broken down our services into 5 main categories, each tailored to address specific security concerns and help you maintain a safe and secure Drupal website:

1. Salsa Support
2. Security audits
3. Security patching
4. Salsa Hosting
5. General cybersecurity services

1. Salsa Support

Salsa Enterprise Drupal Support can be used to draft a security fixes and improvements plan and create a backlog for action.

2. Security audits

Salsa's Drupal security audits involve comprehensively evaluating your Drupal website's security measures and identifying potential vulnerabilities.

3. Security patching

Salsa's SLA-backed patching and maintenance services can be used to ensure security patches are applied immediately after they’re released to keep your site secure.

4. Salsa Hosting

Salsa's Drupal enterprise hosting platform offers several security protections as standard, including distributed denial-of-service (DDOS) protection, a Web Application Firewall (WAF), multi-factor authentication and intrusion detection and remediation.

5. General cybersecurity services

Salsa's Drupal cybersecurity services offer several layers of protection for customers on Drupal. Related services include:

• Rehosting onto our secure hosting platform
• Locked-down controls at origin
• WAF with enterprise security controls
• Intrusion detection and remediation

Our comprehensive services for Drupal security, from audits and assessments to custom solutions and ongoing maintenance, ensure that your Drupal site remains safe, secure and compliant with industry standards. With our expert support, you can focus on growing your business while we handle your site's security needs.