Drupal has, just like any other content management system, fell victim to several major security flaws since its release.
But in comparison to its longest-standing competitors, such as the likes of WordPress and Joomla, its security vulnerabilities have been few and far between.
One of Drupal’s missions, as a global open-source community, is to retain a high level of robust security — and this is not only afforded as a luxury to website developers and administrators — but is very much a necessity to the plentiful businesses and multinational organizations that use the CMS.
Vulnerabilities in the CMS, often touted Drupalgeddon, and subsequently Drupalgeddon 2, have been the most prevalent security holes that the CMS has faced, and definitely aren’t to be played down in terms of risk.
But, Drupal has proven its worth by the efforts they have made in the past to contain and mitigate these vulnerabilities.
In general, aside from the previous Drupalgeddon events, the content management system has consistently proven difficult to exploit, with genuine reports of this being extraordinarily rare.
In the majority of cases, the anomalous exploits of Drupal websites that have been reported, have been more to do with the dependent software that Drupal requires to operate, rather than security holes in the CMS itself.
Vulnerabilities with the version of PHP, or misconfigurations at the system level (poorly configured Linux environments, for instance), have been the culprit more often than not.
There are procedures for compromised Drupal sites, which should be used to manage the potential damage and provide mitigation. Additionally, regular security checks and updates should also be performed.
If you are struggling with the security of your Drupal site, or web server running Drupal, you should get in touch with our team of security experts who can help. If your Drupal site has been recently compromised and you need immediate help, check out Drupal Site Restore.