Application Launcher

Drupal, the functional and foundational set of APIs and modules, powers hundreds of thousands of websites on the Internet. As such, Drupal code is continuously probed, scanned, and analyzed for security vulnerabilities. Through peer review and a large and continuously growing community of experts and enthusiasts, Drupal’s core APIs have strengthened over the long life of Drupal to mitigate common vulnerabilities. Drupal is designed to prevent critical security vulnerabilities, including the Top 10 security risks identified by the Open Web Application (glossary term, activate to view definition) Security Project (OWASP). Drupal has proven to be a secure solution for enterprise needs and is used in high profile (glossary term, activate to view definition), critical websites.

Drupal security team

The Drupal Security Team (glossary term, activate to view definition) includes about 40 people, several of whom are Acquia employees. The security team works with the Drupal Security Working Group

In addition to the proven security of Drupal core, various contributed modules strengthen the security of a Drupal website. These modules extend Drupal’s security by adding password complexity, login, and session controls, increasing cryptographic strength, and improving Drupal’s logging and auditing functions. For more research on security-related Drupal modules, see Enhancing security using contributed modules on Drupal.org (glossary term, activate to view definition).

Drupal password security

There has been much publicity about password breaches of service providers’ websites. Often the root cause of the breach of user passwords is due to poor access controls at the password database and weak encryption methodologies used to encrypt the database. Acquia believes that both strong access controls and strong encryption methodologies are the best means of protecting passwords. Drupal encrypts passwords held in the database using the strong SHA512 hash function with a per-user salt function applied.

Secure Drupal hosting in Cloud Platform

To prevent common vectors of attack, Cloud Platform is built to ensure Drupal websites are hosted securely to align with best practices. Major points include the following:

The process owners of both the web infrastructure and the PHP infrastructure don’t have write access to the web root. The PHP infrastructure can only write to a specific set of directories: the [web root]/files and [web root]/sites/[sitename]/files or the corresponding files-private directories. These directories are writable by nature, because they’re intended to receive file uploads from end users.
Files in the web root (such as Drupal core and its modules) are written by an automated process and pulled from a version control system (Git) only.
Even subscribers logged in to the OS layer on a web infrastructure don’t have write access to files in the web root.
Cloud Platform manages code and configuration with Puppet. This means if a file is changed, Puppet will reset the file back to the known good configuration.

Drupal site security

Security audits: Acquia provides security audits to subscribers as a professional service engagement. These security audits include comprehensive code and architecture layer review to ensure that any custom development of your Drupal website hasn’t introduced vulnerabilities. An Acquia Security Audit is typically a one-week engagement on a website with your development team. Various security firms offer penetration and code review services, but only Acquia is solely focused on Drupal.

Remote Administration: Acquia offers a Remote Administration (RA) service to proactively keep its subscribers’ Drupal websites up-to-date with the latest security patches and bug fixes to both Drupal core and contributed modules.

Additional platform-level best practices

As a website administrator (glossary term, activate to view definition), you can take other steps to ensure your Acquia Cloud Drupal website is secure. For more steps, see Password-protecting non-production environments.

For more information about Drupal security, see the following:

The Drupal Security Team (glossary term, activate to view definition) includes about 40 people, several of whom are Acquia employees. The security team works with the Drupal Security Working Group, which reviews and supports the work of the security team. The security team created a framework to report and rank the mitigation of security vulnerabilities discovered both in Drupal core and in Drupal contributed modules. The team also provides best practices for secure module development and Drupal website creation and configuration.

To prevent common vectors of attack, Cloud Platform is built to ensure Drupal websites are hosted securely to align with best practices. Major points include the following:

The process owners of both the web infrastructure and the PHP infrastructure don’t have write access to the web root. The PHP infrastructure can only write to a specific set of directories: the [web root]/files and [web root]/sites/[sitename]/files or the corresponding files-private directories. These directories are writable by nature, because they’re intended to receive file uploads from end users.
Files in the web root (such as Drupal core and its modules) are written by an automated process and pulled from a version control system (Git) only.
Even subscribers logged in to the OS layer on a web infrastructure don’t have write access to files in the web root.
Cloud Platform manages code and configuration with Puppet. This means if a file is changed, Puppet will reset the file back to the known good configuration.

Security audits: Acquia provides security audits to subscribers as a professional service engagement. These security audits include comprehensive code and architecture layer review to ensure that any custom development of your Drupal website hasn’t introduced vulnerabilities. An Acquia Security Audit is typically a one-week engagement on a website with your development team. Various security firms offer penetration and code review services, but only Acquia is solely focused on Drupal.

Remote Administration: Acquia offers a Remote Administration (RA) service to proactively keep its subscribers’ Drupal websites up-to-date with the latest security patches and bug fixes to both Drupal core and contributed modules.

Did not find what you were looking for?

If this content did not answer your questions, try searching or contacting our support team for further assistance.

Drupal security team

The Drupal Security Team (glossary term, activate to view definition) includes about 40 people, several of whom are Acquia employees. The security team works with the Drupal Security Working Group

Drupal password security

Secure Drupal hosting in Cloud Platform

To prevent common vectors of attack, Cloud Platform is built to ensure Drupal websites are hosted securely to align with best practices. Major points include the following:

The process owners of both the web infrastructure and the PHP infrastructure don’t have write access to the web root. The PHP infrastructure can only write to a specific set of directories: the [web root]/files and [web root]/sites/[sitename]/files or the corresponding files-private directories. These directories are writable by nature, because they’re intended to receive file uploads from end users.
Files in the web root (such as Drupal core and its modules) are written by an automated process and pulled from a version control system (Git) only.
Even subscribers logged in to the OS layer on a web infrastructure don’t have write access to files in the web root.
Cloud Platform manages code and configuration with Puppet. This means if a file is changed, Puppet will reset the file back to the known good configuration.

Drupal site security

Security audits: Acquia provides security audits to subscribers as a professional service engagement. These security audits include comprehensive code and architecture layer review to ensure that any custom development of your Drupal website hasn’t introduced vulnerabilities. An Acquia Security Audit is typically a one-week engagement on a website with your development team. Various security firms offer penetration and code review services, but only Acquia is solely focused on Drupal.

Remote Administration: Acquia offers a Remote Administration (RA) service to proactively keep its subscribers’ Drupal websites up-to-date with the latest security patches and bug fixes to both Drupal core and contributed modules.

Additional platform-level best practices

For more information about Drupal security, see the following:

, which reviews and supports the work of the security team. The security team created a framework to report and rank the mitigation of security vulnerabilities discovered both in Drupal core and in Drupal contributed modules. The team also provides best practices for secure module development and Drupal website creation and configuration.

Did not find what you were looking for?

If this content did not answer your questions, try searching or contacting our support team for further assistance.

Drupal security

Drupal security team

Security-related contributed modules

Drupal password security

Secure Drupal hosting in Cloud Platform

Drupal site security

Additional platform-level best practices

Related topics

Drupal security

Drupal security team

Security-related contributed modules

Drupal password security

Secure Drupal hosting in Cloud Platform

Drupal site security

Additional platform-level best practices

Related topics

Did not find what you were looking for?

Drupal security

Drupal security team

Security-related contributed modules

Drupal password security

Secure Drupal hosting in Cloud Platform

Drupal site security

Additional platform-level best practices

Related topics

Did not find what you were looking for?