How to Recover & Secure a Hacked Drupal Site: Drupalgeddon 1, 2 & 3

Drupal as a platform has indeed experienced a crisis in 2018, albeit rare with the CMS, but we have the perfect solution to your past, current, and future concerns.

In light of the recent Drupal vulnerabilities, "millions of websites" could have been potentially compromised. This scenario would have likely occurred if you failed to update Drupal core to 7.58 by April 11, 2018, but could have occured prior to this, as a targetted attack.

A further security update has since been released by Drupal — 7.59, to enhance security even further.

If your websites were not running the latest version of Drupal at the time they had been released, your site may potentially be compromised, according to this article on

In fact, even if you updated your Drupal version and see no signs of an attack, your site may still have been compromised before applying the update.

Sometimes, there will be obvious signs that your Drupal site has been compromised, such as;

  • your site may be defaced,
  • your content may have changed,
  • you may be locked out of your administrator account,
  • or the site may be completely inaccessible.

Bear in mind that this list of symptoms is very limited, and there may be additional signs of a successful breach attempt.

However, it’s also important to note that in most cases, you won’t actually be able to tell whether the site has been compromised at all. In other words, everything may look and function completely normal.

This is where you have to be particularly cautious, because the attacker may have installed trojans, malware, or other malicious software onto your server. Such scripts could be capable of:

  • collecting your website and user data, and using them for malicious purposes,
  • mining for cryptocurrencies, such as bitcoin,
  • sending bulk spam emails from your domain or server, also known as a phishing attempt.

Attackers are particularly clever when it comes to disguising malicious code and files, and may have even injected code into your database (MySQL, for example), that performs malicious behavior. Such database injections are particularly difficult to find.

In more rare cases, the attacker may have wiped your entire Drupal site, or even the entire server.

There are numerous reports of attackers using servers as botnets, which perform attacks on other servers also running insecure versions of Drupal core, and installing cryptocurrency minors, which are effectively allowing them to steal currency from your server — and so far, these criminal attackers have made billions.

If you store particularly sensitive data in your Drupal installation (whether that is your own, or that of clients), such as credit card details or billing/home addresses, it is even more important that you ensure the status of your Drupal site is secure, and recover any damage.

Remember, if you’re storing sensitive customer data, it’s also important to inform your customers of the attack, so that they can take the necessary steps to ensure their own personal password and credit card security.

If in doubt, the best solution is to restore your latest backup before the Drupal vulnerability was discovered. That’s a backup including both files, and the database. You may even wish to restore an entire sever backup, as attackers would have been capable of reaching pretty far down into your server, and installed hidden malware.

If you’re running multiple websites or applications on your server, bear in mind that there is a high likelihood that these have been compromised as well — even if they’re not running Drupal. After restoration, you should immediately upgrade to the latest version of Drupal 7 or 8, depending on which version your site runs.

However, you may not be so lucky if you don’t have a recent backup, or if your backups were stored on the compromised server itself. In these cases, the best course of action is to start from scratch. That means wiping your entire server, reinstalling everything, and performing a fresh installation of Drupal, using the latest version.

It’s a pain, it’s going to take some time, and you’re potentially going to miss out on new prospective clients.

For this reason, Cocoon is pleased to announce the launch of two new services, Drupal Site Restore and Drupal Padlock. These two services both come with multiple tiers, at amazing prices, and will be available only for a limited time. In fact, you don't even need to be a current Cocoon customer to take advantage of either service.

Drupal Site Restore

With Drupal Site Restore, our team of security engineers will work to identify whether your Drupal site (or server) has been compromised, and aim to clean-up the site and restore it to its previous state, since you don’t have a suitable backup available.

We’ll be utilizing multiple resources to identify exploits and safely remove them, without compromising the integrity of your Drupal site’s content.

Once your site is clean, we’ll immediately update it to the latest version of Drupal, to ensure that you’re no longer vulnerable.

Beyond this, we’ll integrate additional layers of security to your Drupal installation, to enhance the long-term security of your website.

Drupal Site Restore currently comes with 3 tiers of service, which you can select depending on your needs.

Drupal Padlock

Drupal Padlock works slightly differently.

This service is geared more toward ensuring the long-term security and stability of your Drupal website, and/or webserver.

Drupal Padlock by Cocoon involves our team of UK-based server security experts hand-configuring your Drupal and/or server installation, to discourage and mitigate future attacks, using multiple layers of industry-standard security techniques and best practises.

Did someone say
Drupal Security?

Hey, we're Cocoon, and we specialize in Drupal Security. In fact, we've achieved stellar results for over 25K brands worldwide.

Will the next one be yours?

Yes, tell me more!