Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.

On twitter see @drupalsecurity.

Drupal Security Team's picture

Drupal Security Team response about insecure update process

Recently, a security researcher reported some vulnerabilities to the Drupal Security Team. The Security Team and researcher worked together to understand the risks and decided that the potential impact was small enough that the reported problems could be fixed in public and that the researcher would write a blog post with their perspective on the situation.

Read more
maq.said's picture

Preventing Website Copy and videos from getting downloaded.

Hi there,
Apart from SSL, malware protection provided by web hosting company I need to be sure about Drupal providing the following features:

1) Disable right click on my website.
2) Image copy protection.
3) Mirror Image of site should not be allowed by end user on his/her local PC.
4) My videos have copy rights and I only want live streaming and end- user should not be allowed to download the videos directly or by downloading my entire site.

Read more
pflame's picture

Access log shows node_page_default, node_page_view urls


I noticed some strange things in apache access_log file. There are URL requests for /node_page_default, /node_page_view which does not exists and results page not found message.

These requests are taking more time to respond. Sometimes it is 1.5sec. Wich causes unnecessary usage of resources, bandwidth and affecting throughput.

Does it mean, someone is trying to hack? How can I avoid it?

Read more
greggles's picture

Locking vendor accounts after their job is over, locking inactive admin accounts at 90 days

Old and unused accounts with admin access are a common entry point for attacks. They often have weaker passwords than a current account and the passwords are not being rotated making the accounts easier to brute-force over a long period.

There are two policies that create a solution to this problem:

  1. If a vendor will be doing work for a known amount of time, set their account to expire (be made inactive) on the date their work is likely to be done. This is required by PCI DSS 3.1 section 8.1.4.
Read more
mgifford's picture

Drupal Security Guide

Wanted announce our Drupal Security Guide here. We've just updated it with information about Drupal 8.

This document has had contributions from lots of folks, but is still certainly a work in progress. That being said, there are over 65 pages worth of information about almost all aspects of Drupal security.

Read more
InternetDevels's picture

How to ensure your Drupal website security

The Drupal core is well protected by default, but you can ensure your website security by following some additional security rules that can protect your site from attacks and other threats.

These rules are about using http, deleting/blocking a user, preventing the execution of unreliable php code, hiding information from users and more. If you are interested, you can find all the details in the blog post by our developer.

Read more
sf_wind's picture

Anyone has seen this hack to drupal site?

I have most recent drupal version, and when logged in as admin, every page load tries to load something from the domain, but fails.

I googled online but found very little discussion on this. The limited discussions I've found so far are related to wordpress. For example, this article describes the hack on wordpress:

This kind of hack seems to be spread only very recently. From this article, the hack sneaks into some heavily protected sites.

Read more
scor's picture

Security sessions at DrupalCon Barcelona

Just a quick note to those attending DrupalCon next week. Two representatives of the Drupal Security team will hold a session next week at DrupalCon Barcelona: Drupal and Security: what you need to know. It is scheduled for Wednesday at 2:15pm. Come and learn about best practices to keep your Drupal site safe from hackers.

Read more
deepanjali's picture

Security service provider

Hi, I am looking for recommendations for good, reliable service providers who can keep our website up to date in terms of security and deal with malware, attacks, etc. We do not have tech people on our team so they would need to take care of everything. We use a dedicated server with Bluehost and our site is currently deactivated due to malware.

Read more
coltrane's picture

What security-related modules should exist but don't?

Consider this a brainstorm post about generating module ideas around security for Drupal sites. What modules do you wish existed but don't? What security feature, change audit, access control, risk mitigation, etc doesn't exist for Drupal, but should?

A couple come to my mind which I'll leave as a comment. Share yours, whether basic or advanced, and we can discuss how it might work and it's needs.

Read more
gettysburger's picture

How does Security Team decide the level of a threat?

I am interested in learning about Drupal Security and appreciate the efforts of everyone on the Security Team. I am wondering what the best venue is to gain insight into how the team makes their decisions about what specific things trigger one level or another.

I am working on gaining an understanding of the NIST criteria, but was wondering if there is another venue I should be looking at for insight into the Security Team decisions.


Read more
cjordan's picture

Site scans and audits

Hello group members,
I am looking for a way to scan my drupal sites for security issues. I found this site online Thanks for your comments in advance.

Read more
bburg's picture

Announce that there are no announcements

Every Wednesday, at 4:00 pm Eastern, I have a reminder set for myself to check for the weekly Drupal security announcements. A number of my clients have requirements that basically require applying security updates as soon as possible (PCI/FISMA).

What is awkward around this time is when there are no announcements. I find myself wondering if there is just a delay in the email delivery (which I think is known to happen), or if there are indeed no security updates that week.

Read more
rooby's picture replacement? was a good source of Drupal security information but is now gone and redirects to the Acquia home page.

Does anyone know if the information previously available on will end up being available somewhere else or is it just gone now?

Read more
coltrane's picture

Security and privacy day at NYC Camp at the UN

As part of the upcoming Drupalcamp at the UN, NYC CAMP, we're having a full day of Drupal and security!

Friday, July 17th, 9:00 AM to 5:00 PM @ United Nations Headquarters New York, NY 10017

Read more
mlhess's picture

Seeking feedback on the security team disclosure policy.

The security working group is proposing this policy around disclosure of private information. We are seeking community feedback.

In the past our policy has been a tad thin.

“State that you are willing to keep the confidential issues of the team confidential”

This document aims to add clarity to that sentence and some example scenarios to guide team members decision making.

We are seeking public feedback before making this a policy.

The policy is attached as a PDF.

Please provide feedback by commenting on the post

Read more
greggles's picture

Updating "criticality" levels to match scores

A while ago, after a lot of great research and work (mostly by Michael Hess), we rolled out a new style of scoring individual security advisories. The system is based on NIST's scoring at

For example, a recent issue had a "score" of
7/25 AC:Basic/A:Admin/CI:None/II:None/E:Theoretical/TD:All

The score and coding is meant to explain the risk, but it's rather cryptic.

To try to be more "human friendly" we also still say things like "Highly Critical" and "Less Critical" and "Not Critical".

Read more
greggles's picture

Security Crowdsourcing: Bugcrowd, Hackerone, Synack, CrowdCurity

I'd love to hear feedback about crowdsourced security programs from anyone who has used or researched them. I personally have used Bugcrowd (as a program sponsor) and Hackerone (as a reporter) and they both seemed roughly similar. I haven't really researched the others.

What do folks think about these programs? Anyone using one or more of them, either as sponsor or researcher, and have feedback to share? Do any of their models provide a better match to the Drupal community?

Read more
Owen Barton's picture

Drupal and FISMA Compliance BoF at Drupalcon LA

2015-05-14 14:15 - 15:15 America/Los_Angeles
Event type: 

This session is for sharing of best practices and tools with respect to the FISMA federal compliance framework, as well as discussing ways to automate compliance checking of Drupal (and it's environment) using FISMA certified open source tools like OpenSCAP.

Read more
greggles's picture

Drupal Security BOF at Drupalcon Los Angeles


There will be a birds-of-a-feather (BOF) gathering at Drupalcon Los Angeles on Tuesday, May 12th at lunchtime (11:45am-1:00pm) in room 410. There's no specific agenda, we'll talk about things that people in the room want to talk about. It should be fine to get lunch first and bring it to the room (if someone says no, surely it will be possible to engage in a little social engineering to convince them it's OK!).

It seems useful to talk about just about anything. Some things that I can imagine we might cover:

Read more
Subscribe with RSS Syndicate content