Drupal Security
May 16, 2007 - 4:27pm
Security
Drupal takes security very seriously just like the other top notch Content Management Systems. But, just like all complex pieces of software there may be security vulnerabilities. Drupal stays right on top of those with the security mailing list. If you want to join create an account on drupal.org, go to my account, and in there you can sign up for the different lists.
When a vulnerability is found a fix is quickly issued and the list is notified. Drupal takes security seriously enough that they notify for the core, the contributed modules, and for some common 3rd party applications that drupal interfaces with. Security is a big deal.
That being said, I was not able to see that site while it was hacked to find the problem. Looking at the site right now I can tell you it is running drupal 4.7 or previous. They may not be running a security updated version of drupal which would leave them vulnerable (just like any software apps).
Then, there is that a lot of hacking happens not in drupal but with the web server itself. Web servers are open to vulnerabilities and exploits.
In the end, drupal is as secure as CMS solutions come and the developers take security seriously. But, a lot depends on things outside drupal like the platform and hosting solution, the development of the drupal site, and how we keep up with security fixes. It's not hard to make a custom theme vulnerable. It's easy to not install security update.
I do choose drupal and security is one of the things I have had to consider.
I suggest anyone who is concerned with security not just count on a solution to handle it for them but learn enough about security to know how to deal with it properly.
Matt Farina
Geeks and God Co-Host
www.mattfarina.com
June 16, 2007 - 5:49pm
Godsblogs was hacked, too with islamic stuff
Hi, www.godsblogs.com was also hacked.
Drupal was installed by fantastico under cpanel there and I thought it was fairly up to date.
But, when i tried to log into fantastico to see if it was up to date, fantastico itself was disabled which leads me to believe this must have been hacked at the cpanel level, and I'm not very happy about that.
June 17, 2007 - 5:03am
Server?
My wordpress blog site was hacked a few months back, but it turned out to be, like MF suggested, not an issue with Wordpress/Drupal but the whole server was hacked. I checked out a couple of the other sites on the server and they had all been hacked. That said my hosting provider were very good and had it all back to normal after a couple of hours.
So whilst you should be concerned about he security of Drupal, it is probably not Drupal that will result in you getting hacked.
Andy
June 18, 2007 - 7:19am
anything custom
I, also, have to ask if there was anything custom on the drupal site? If so, did you follow good drupal security practices when you did everything?
Getting hacked can happen at many levels. The OS level, cpanel (if your site uses that), the application level and more. The OSI model has 7 layers and a number of them are open to attack over the Internet.
Did you find where the attack came from or how access was gained?
Matt Farina
Geeks and God Co-Host
www.mattfarina.com
I just found the G&G podcast a couple weeks ago. I went back and got the Drupal series and just finished it. I am a little concerned about security in Drupal. I recently visited freeforchurches.com and saw that their site had been hacked. A few days later I went back and noticed that it is a Drupal site.
Does anyone have any information about what happened at freeforchurches.com or have any thoughts on security in Drupal?