Drupal security¶

Drupal security team¶

The Drupal Security Team includes about 40 people, several of whom are Acquia employees. The security team works with the Drupal Security Working Group, which reviews and supports the work of the security team. The security team created a framework to report and rank the mitigation of security vulnerabilities discovered both in Drupal core and in Drupal contributed modules. The team also provides best practices for secure module development and Drupal website creation and configuration.

Security-related contributed modules¶

In addition to the proven security of Drupal core, various contributed modules strengthen the security of a Drupal website. These modules extend Drupal’s security by adding password complexity, login, and session controls, increasing cryptographic strength, and improving Drupal’s logging and auditing functions. For more research on security-related Drupal modules, see Enhancing security using contributed modules on Drupal.org.

Drupal password security¶

There has been much publicity about password breaches of service providers’ websites. Often the root cause of the breach of user passwords is due to poor access controls at the password database and weak encryption methodologies used to encrypt the database. Acquia believes that both strong access controls and strong encryption methodologies are the best means of protecting passwords. Drupal encrypts passwords held in the database using the strong SHA512 hash function with a per-user salt function applied.

Secure Drupal hosting in Cloud Platform¶

To prevent common vectors of attack, Cloud Platform is built to ensure Drupal websites are hosted securely to align with best practices. Major points include the following:

• The process owners of both the web infrastructure and the PHP infrastructure don’t have write access to the web root. The PHP infrastructure can only write to a specific set of directories: the [web root]/files and [web root]/sites/[sitename]/files or the corresponding files-private directories. These directories are writable by nature, because they’re intended to receive file uploads from end users.
• Files in the web root (such as Drupal core and its modules) are written by an automated process and pulled from a version control system (Git) only.
• Even subscribers logged in to the OS layer on a web infrastructure don’t have write access to files in the web root.
• Cloud Platform manages code and configuration with Puppet. This means if a file is changed, Puppet will reset the file back to the known good configuration.

Drupal site security¶

• Security audits

  Acquia provides security audits to subscribers as a professional service engagement. These security audits include comprehensive code and architecture layer review to ensure that any custom development of your Drupal website hasn’t introduced vulnerabilities. An Acquia Security Audit is typically a one-week engagement on a website with your development team. Various security firms offer penetration and code review services, but only Acquia is solely focused on Drupal.

• Remote Administration

  Acquia offers a Remote Administration (RA) service to proactively keep its subscribers’ Drupal websites up-to-date with the latest security patches and bug fixes to both Drupal core and contributed modules.

Additional platform-level best practices¶

As a website administrator, you can take other steps to ensure your Acquia Cloud Drupal website is secure. For more steps, see Password-protecting non-production environments.

Related topics¶

For more information about Drupal security, see the following:

• Is Drupal secure? on Drupal.org
• Securing your site on Drupal.org
• The importance of user roles and permissions for site security