The State of Drupal Security
It’s a well known fact that monkeys love to chatter. Lately, all the chatter has been about the state of Drupal security. It was widely reported last week that nearly one million Drupal account holders had their passwords, email addresses and user names accessed by an unknown hacker. Many people have used this opportunity to question the security of Drupal as a content management system. According to an article by InfoSecurity Magazine, “the breach was not the result of a vulnerability within Drupal itself.”
So, what exactly happened? According to Drupal.org, “hackers were able to get into the system via a known vulnerability inside third-party software that was installed on the Drupal.org server infrastructure.” While the exact nature of this software is not being made known, it does show the attack to be one against an organization and its account users, not an organization and its product users. This is an important distinction for any site owner concerned about the security of their own Drupal site.
As a CMS, Drupal features many high-level security measures including:
- Security features built into the site itself
- Regular patches and security upgrades
- Strenuous testing of all new modules prior to release
- Smaller core code (as compared to other open source CMS systems), leaving less vulnerability
- Track record of extremely low reported vulnerabilities (as compared to other open source CMS systems)
Website security is a major issue, and one of the main reasons that many people end up selecting Drupal in the WordPress vs Drupal debate. While last week’s security breach of the Drupal.org account system is an unfortunate development, it is no reason to believe that your Drupal site is in any trouble of similar vulnerabilities.
If you’re looking for more information about Drupal security, swing on over to DrupalSecurityReport.org for a fully detailed whitepaper on the topic.