How Secure is Drupal?

In spite of claims to the contrary, strong evidence shows those open source technologies, Drupal in particular, not only meet global security standards, but they are consistently on the cutting edge of security enhancements.

Drupal, its APIs, and its core and contributed modules, powers millions of websites on the internet. As such, the Drupal code is continuously scanned, audited, and analyzed for security vulnerabilities and breaches.

Through peer review within Drupal’s continuously growing worldwide community of experts, Drupal’s core APIs have been strengthened over the long life of Drupal to mitigate common vulnerabilities. 

What Makes Drupal So Secure?

When it comes to security within Drupal, there are three key categories of people that contribute to ensuring that the platform is completely secure at all times. These people all play specific roles in ensuring vulnerabilities are discovered, reported, corrected, tested, and fixes distributed promptly.

Drupal has been rewritten and designed over the years to prevent critical security holes, including the Top 10 Security Risks as identified by the Open Web Application Security Project (OWASP). Drupal has proven, time and time again, to be a secure solution for enterprise needs and is frequently used in high-profile, critical websites, such as governments and Fortune 500 companies.

According to CVE Details, an online security vulnerability data source, there have been 364 vulnerabilities reported for Drupal since 2002, with only 8 being reported in 2023.  Compared to Drupal alternatives like WordPress or SharePoint, Drupal has 70% fewer vulnerabilities reported on average. These metrics don’t lie: they prove that Drupal is more secure than most of its competition. We believe that this is due, in part, to the following people, standards, processes, and measures:

• Drupal’s Security Team, Project Maintainers, and Users
• Security-focused Contributed Modules
• Notifications
• Secure Drupal Hosting
  
  

DRUPAL SECURITY TEAM

The Drupal Security team is made up of a global group of some of the world’s leading web security exports, always on-call, to assess, evaluate, and address issues. This team, which is constantly growing, manages the framework in which to report and prioritize the mitigation of security vulnerabilities discovered both in Drupal core and in Drupal contributed modules.

PROJECT MAINTAINERS

Drupal’s active developer community is more than 15,000 strong and includes experts in all areas of today’s web technologies. Different maintainers specialize and are responsible for different aspects of Drupal core and for different modules that extend Drupal. Project Maintainers work hand-in-hand with Drupal’s Security Team to ensure that any known vulnerabilities are patched quickly, tested thoroughly, and distributed following industry best practices.

USERS

More than 700,000 people, running more than a million websites, use, test, and improve Drupal on a daily basis.  New vulnerabilities are quickly identified and privately reported to the Drupal security team following the framework described above.

SECURITY FOCUSED CONTRIBUTED MODULES

In addition to the proven track record of Drupal core, there are numerous contributed modules that are being developed daily to extend Drupal’s security layer.  Some of these focused modules help with password policies, login encryption, session controls, and also help Drupal log and audit vulnerabilities from within. Modules, like Hacked!, continuously monitor Drupal’s codebase and can report if anything has been changed against Drupal core’s base.

NOTIFICATIONS

Best practices of developers and Drupal site owners state that you should always keep your version of Drupal, and its contributed modules, up to date at all times.  Patches to Drupal core and contributed modules are done for a reason and falling too far behind will open you up to even more vulnerabilities in the future. Luckily, Drupal also warns of available security updates in real-time, from within Drupal itself.  Internal reports, such as “Available Updates” notify users every time a patch is available on Drupal.org.

SECURE DRUPAL HOSTING

Although we can do everything we can do secure Drupal itself, we need to also always consider our hosting environments and infrastructure.  This is where Drupal-specific hosting providers come into play. Providers such as Acquia and Pantheon combine infrastructure best practices with Drupal security best practices to add yet another layer of security to Drupal systems.  

Since Drupal core’s codebase is standardized, these hosting providers can also report when unexpected changes happen within Drupal and do everything they can to prevent them and/or revert them back.

Governments Trust Drupal, So Should You

Currently, about 1.7 million websites run on Drupal. An impressive  12.8% of the top 10,000 websites are powered by Drupal. The public sector is no stranger to the platform with its robust security features and scalability. 

Drupal Groups have documented a database containing information about 1,938 government websites that rely on Drupal as their preferred content management system (CMS).

These government entities choose Drupal due to its transparent and accountable features, distinguishing it from other CMS options. Drupal excels in various areas, including:

• Impressive performance even under demanding circumstances
• Robust security measures
• Flexible customization options
• Scalability for future growth
• Accessibility features for a diverse audience
• Personalization capabilities to enhance user experience

What sets Drupal apart is its commitment to inclusivity and diverse contributor communities. Government websites often experience significant traffic, and Drupal's reliability in handling high volumes of visitors makes it a top choice.

Additionally, when it comes to managing complex security issues like PCI compliance, Drupal surpasses WordPress and other CMS alternatives. Its focus on database encryption ensures enhanced protection, whereas WordPress, relying heavily on third-party plugins, poses greater vulnerability.

Conclusion

As an open-source technology, Drupal development is largely decentralized and its strength comes from the distributed knowledge of a community of thousands of developers committed to the project worldwide. From a security perspective, some critics feel more comfortable with proprietary software produced by dedicated teams at major companies.

However, there is scant evidence that proprietary solutions offer better security, or that Drupal is weak on security in comparison. Quite the contrary, in fact: the evidence shows that Drupal has fewer security vulnerabilities reported, more people fixing the vulnerabilities when they are reported, and all known best practices and structures in place that are comparable to or surpass Drupal’s competition.

If you have an upcoming digital transformation project and would like more information on how we at Portage CyberTech leverage Drupal to build award-winning solutions for enterprises and governments, reach out and get started today.