Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.

On twitter see @drupalsecurity.

Jitesh Doshi's picture

token/hash based account-less access control

I have a need where site visitors should be able to create and then later update content without ever creating an account on my Drupal site.

Read more
EC-GROW's picture

Fine-grained MySQL tables privileges

Regarding Drupal site security, I am really surprised to see that MySQL settings do not keep an important place in Securing your site discussion.

Yet a very simple MySQL policy would have prevented Drupageddon to your site.

According to INSTALL.mysql.txt, MySQL user used by Drupal, must have the following minimal privileges on Drupal database:


Read more

List of service providers who keep Drupal sites up to date

Keeping a site up to date with new releases is one of the most important things for keeping a site secure. Let's document the current landscape of hosting and service providers and what services they offer to keep your site secure (in alphabetical order):

Company/Service Core? Contrib Time for upgrade Cost Requires site-owner involvement
Read more
EdBiancarelli's picture

Questions about module programming

First, sorry if this isn't the right place and way to ask.

I'm developing a new module and have 2 questions about security.

1 - My module has a Config page where only admin (or another user with same rights) has access. Like /admin/config/system/site-information.
In this config, I have some fields that will be showed later in HTML output.
Question: Do I must filter this content against XML injection (filter_xss or filter_xss_admin)? or I can trust this user?

Read more
greggles's picture

Next release of paranoia

I'm working on a new release of paranoia. In addition to blocking more permissions I'd like to include a feature that blocks all the import boxes that run php from the user interface (e.g. the "Import Views" box).

The issue to do that needs review and is at

Once that hook is in we would need to add in a bunch more form IDs to block.

Read more
mykevandyke's picture

Write up on Drupageddon hack (attempt) on my site

On October 21, 2014, an attempt to compromise my personal web site was partially successful. The attack was able to delete log entries for October 21, 2014, and was able to add a non-existent user to the administrator role on the web site. The attack apparently failed to actually create the user, however.

Read more
sonicthoughts's picture

Basic, Current Best Practice for adding SSL

I have seen many detailed discussions for security on and elsewhere. If I've learned anything watching the 2014 onslaught of cyber attacks it is this: "make it simple or it won't be used." I'm a system builder, trying to add SSL to a site (I've done this in the past.) and the challenge I face is a simple, current, best practice approach for SSL that provides decent performance (ie. allows proxy traffic, opcache, etc.)

Read more
derrotebaron's picture

Files to monitor

Are there any static files in Drupal that could be monitored for unauthorized access? In light of the latest vulnerability/exploit, I was wondering if perhaps a HIDS, or some type of file integrity solution could be used to monitor specific files related to Drupal that would indicate a compromise.


Read more
Bevan's picture

Security vs core policy

One of the reasons Drupageddon's impact was so large was that it was so easy to exploit. PoCs show this, and quite possibly made it easier and faster for attackers to exploit, especially attackers not so familiar with Drupal. For example, just before the announcement, in Drupal 7.32's test code and its second-to-last commit:

Read more
Bevan's picture

Time for an auto-patcher for Drupal?

The Sophos article on the Drupageddon followup PSA makes a solid argument for an auto-upgrading system built into Drupal, as an effective means to reduce the impact of things like Drupageddon.

Wordpress already has such a thing. Drupal already has a self-upgrading system, but it is not automated or promoted as a useful tool for securing a website. It also doesn't support patching (though that might not be necessary).


Read more
Bevan's picture

Estimates of 12 million vulnerable websites

Estimates of 12 million vulnerable websites (Sophos, then BBC), is actually the result of reasonable deduction. I checked.

Read more
brad.curnow's picture

Email spam generators (PHP) found amongst module files.

Hi All,

I recently received an email from my host (Arvixe) stating that they had disabled a script on one of my D7 sandbox sites due to large quantities of spam email emanating from there.

Upon investigation I found an encrypted PHP file called "sql91.php" in my modules/field/modules/options folder. I later discovered a second bogus file called "sraynr.php" in a different folder. Both of these files have been called from Russian IP addresses:

Read more
Bevan's picture

Follow up Drupageddon responsibly

For most security advisories, announcing the vulnerability and fix is good enough. But Drupageddon is an exceptional SA; the Drupal community and its leadership need to communicate more clearly the severity of the impact of Drupageddon to owners and administrators of Drupal 7 websites, reaching out to them using every way we know how.

Read more
fejn's picture

San Gabriel Valley Drupal Meetup in Pasadena at the Fuller Theological Society on Thursday, October 23, 2014

2014-10-23 18:00 - 20:00 America/Los_Angeles
Event type: 
User group meeting

We are having a special meeting in the San Gabriel Valley on the fourth Thursday on October 23, 2014.

Join us from 6-8pm at Fuller Theological Seminary, Glasser 110 on Thursday, October 23, 2014, for Drupal news and announcements, local job announcements, raffle prizes, community Q&A, lightning talks and full-length presentations.

You can join the video conference or go to and enter meeting ID: 129 319 220

Read more
greggles's picture

Should the Drupal Association (or someone else central) run a security bug bounty?

A conversation was started on twitter.

I have thoughts on this, but let's get the conversation rolling in a form that allows for more in-depth thoughts than 140 characters ;)

Some topics:

  • Experiences running a bug bounty program (security or otherwise, paid or otherwise i.e. hall of fame counts too).
  • Experiences running a program paying for some work inside a mostly volunteer community
  • What do we hope to achieve with a paid security bug bounty program?
  • Do we think that's a reasonable goal?
Read more
greggles's picture

What time should security releases happen? Can we pre-release? Can we work with WAF vendors?

In an ideal world, what is the best time for a security release to happen?

Sometimes the security team doesn't have control because a project maintainer commits and makes the release node at a specific time. We can, of course, try to make it more clear that they need to commit and make releases before a specific time.

And often there is some control.

So, in our ideal world, what time would people want it to be released?

Can we do something to pre-release in different parts of the world?

Read more
David_Rothstein's picture

Drupal 7 core security release on Wednesday, October 15 (and release window for Drupal 6)

2014-10-15 (All day) America/New_York
Event type: 

There will be a security release of Drupal 7 core on Wednesday, October 15.

Although we normally only announce security release windows (rather than definite plans for a release), this month we are confident that a release will happen, so please be prepared to update your Drupal 7 sites on Wednesday.

Read more
pwolanin's picture

Slides from Drupalcon Amsterdam 2014: Cracking Drupal

Here are the slides from the talk from klausi and pwolanin

Read more
greggles's picture

Try to exploit Two Factor Authentication module (and maybe earn $) before we deploy TFA to hopes to deploy two-factor-authentication to enhance the security of the site. This tool will help to ensure that accounts with advanced permissions are only used by the intended individual. The Two Factor Authentication module for Drupal tfa was originally built by Growing Venture Solutions, has been dramatically enhanced to work for Acquia, and is being made “” with support from

Read more
phparchitect's picture

Web Security Training

2014-09-22 20:00 - 2014-09-26 23:00 America/New_York
Event type: 
Training (free or commercial)

A crash course in Web & PHP Security practices that teaches you everything you need to know to begin protecting yourself from malicious users. This 10 hour live online instructor-led class covers the top security attacks, how to detect them, how to protect yourself from them, and how to recover if you are breached. It also covers PHP specific security topics such as best practices for protecting user sessions and handling user logins & passwords.

The class at a minimum will cover the following topics, and will always be updated with any up-to-date web security vulnerabilities that emerge:

Read more
Subscribe with RSS Syndicate content