Is Drupal still the most secure CMS?

After numerous security vulnerabilities in 2018, where does Drupal stand in comparison to other content management systems?

Drupal, one of the most popular content management systems, suffered one of its most widespread security vulnerabilities earlier this year.

The 18-year old CMS, popular amongst some of the worlds largest organizations, fell victim to what is now known as “Drupalgeddon 2”, which was a highly critical security flaw that allowed anonymous hackers to gain complete control of Drupal websites and servers.

This was quite a shock for Drupal, since it has long been touted as the most secure of the big content management systems. Compared to competitors such as WordPress and Joomla, Drupal has suffered far less in terms of negative publicity surrounding the security of its code.

In general, Drupal developers seem to be far more confident in the security of their websites than users of competing CMS platforms. This may be due, in part, to the security consciousness of the Drupal development team, as one of Drupal’s key attractions is its secure code base.

It’s important to remember that no codebase can be completely secure, however, which is purely the nature of the internet as a whole.

Is Drupal still secure?

Let’s cut to the chase. Drupal is still going (very) strong and is not expected to go anywhere.

The Drupalgeddon 2 vulnerability did indeed catch a number of site administrators and developers off-guard. The Drupal Security Team were, however, quick to respond. Updates for both Drupal 7 and 8 were pushed in April and May of this year, and site administrators who were swift to update could rest with peace of mind.

In spite of this, many websites running Drupal may still be insecure.

A notable proportion of sites running the CMS have been reported not to have been updated in time, which could have resulted in widespread attacks and the distribution of trojans and cryptocurrency miners on web servers hosting Drupal sites.

In addition, Drupal modules available on Drupal.org, and accessible by the larger Drupal community, continue to experience security concerns. Critical security updates continue to be released well into August 2018, which is a positive in the sense that both the Drupal Security Team, as well as unaffiliated module developers themselves, are paying continued attention to the security of module code.

However, it also indicates an ongoing requirement for administrators of Drupal websites to remain vigilant in maintaining the security and integrity of their Drupal installations by keeping Drupal modules up to date.

Contributed modules are developed, released and maintained largely by the Drupal community itself (without affiliation with Drupal’s core development or security teams, that is). As such, it is important not to direct responsibility to Drupal’s development team for late security releases pertaining to contributed modules.

What is also important, though, is to maintain up to date installations of all contributed Drupal modules, and Drupal 7 or 8 core as well.

In conclusion — Drupal remains a highly secure, robust solution. But, as with all kinds of software, treat all security releases as a priority, and don’t neglect updates for Drupal’s contributed modules.