In the age of IoT-triggered DDoS attacks, cyber terrorism and AI-generated malware, businesses can no longer afford to tamper with web security. Compared to other CMS solutions, Drupal – besides presenting website content in the most logical and effective way – offers a plethora of baked-in security features including redefined access controls, on-demand database encryption and security reporting and is driven by a vast community of Drupal developers who continuously roll out security updates.
However, Drupal core, even if we talk about Drupal 8 which comes along with built-in web services, Views and a new theme engine, might not feature certain functions required to meet long-term business objectives – and here’s where contributed Drupal modules come to rescue. Many of those are covered by Drupal security advisory policy; others have to be reviewed by your web development team for possible open security issues. In this article, we’ll provide several tips to help you evaluate the security of third-party modules to future-proof your business website.
How Can You Evaluate Security Of A Contributed Drupal Module?
Make sure the module you’ve chosen is getting the necessary security attention. On Drupal.org, 3rd-party developers are welcome (and encouraged!) to create new modules and themes and keep them up-to-date. If a vendor for some reason decided not to opt in to the security program, you’ll be warned the project is not covered by Drupal security advisory policy and may contain documented flaws that come with PHP for beginners. The same goes for modules in pre-stable version, as well as obsolete and unsupported modules which were either merged into Drupal core or abandoned by their developers.
And what if you come across a useful extension – for example, Chatbot API which allows customer-centric companies to distribute website content across multiple platforms including Amazon Alexa and Facebook bots – but it fails to meet the requirements mentioned above?
In this case you can seek alternative, hire a skilled Drupal developer to code the feature from scratch or implement the controversial module at your own risk, thus taking full responsibility for its testing, bug fixing and patching. Otherwise, we recommend that you should use an approved version of a contributed module just to be on the safe side and timely install updates released by its vendor.
Drupal Security Advisories And Updates
Keep a close eye on Drupal security advisories and release updates. There is a dedicated directory on Drupal.org where the members of the Drupal security team uncover vulnerabilities detected in software libraries included in the CMS core and contributed modules and themes; there you can also find security-related news and tips to protect your business website. Make certain the extensions you’ve chosen do not contain publicly disclosed vulnerabilities and get timely patches. In order to keep up with important announcements, you should subscribe to Drupal security list or follow the team on Twitter or Slack.
Reliable PHP Development
Address a reliable PHP development company to conduct code security analysis. Over 300 Drupal security vulnerabilities have been registered so far; the majority of those originate from open-source software components utilized in contributed modules. Although one could conduct automated website security checks using top-notch modules like Coder, it is advisable to manually scan contributed modules prior to deployment to detect issues like Cross-site Scripting (XSS), SQL injection and remote code execution.
Considering the fact it will take your company 196 days to recover your website once a high-severity vulnerability like XSS is exploited, you should allocate a sufficient budget for quality assurance (QA) and set realistic web project delivery dates.
Keeping Your Website Safe: Drupal Security Best Practices Every Business Should Follow
According to Securi 2017 Hacked Website Report, Drupal remains one of the least compromised content management systems on the market. Having said that, any website CMS is subject to security flaws stemming from inappropriate configuration, deployment or maintenance and even CMS core itself. Earlier this year, for instance, the Drupal team has had to patch a critical remote code execution vulnerability affecting 1 million (or 9%) of all Drupal-based websites.
Here are a few tips to help companies secure their business websites:
Conduct a thorough review of software programs comprising your corporate IT infrastructure, secure mission-critical applications and develop a comprehensive security policy covering all the aspects of software design, deployment and subsequent usage.
Drupal Security Modules
Enhance website security with dedicated Drupal modules. These include Duo which enables two-factor user authentication for Drupal 6 and 7, the Login Security module which allows website administrators to deny users access by a static IP address and limit the number of unsuccessful login attempts and Coder that will help you conduct automatic code checks to see whether the modules you intend to use comply with Drupal security requirements. Furthermore, you could make use of the Security Review module to detect minor flaws that could leave your business website open to XSS attacks, arbitrary code execution, SQL injections and phishing.
Keep Drupal Updated
Patch contributed modules and Drupal core vulnerabilities on a regular basis. As of now, only a percentage of websites powered by Drupal run the latest core updates – largely due to complex and highly customized deployments, the lack of skilled in-house developers and backward compatibility issues. The failure to install latest security patches may leave your business website open to malware attacks, affect its availability and compromise customer data.
Never fail to back up your website to be able to quickly restore it if an attack takes place. It is also recommended that you should run back-ups before installing Drupal core and modules’ patches and test updates locally before pushing the website into production.