Drupal and Security: what you need to know


From large vulnerable corporations to cyber attacks causing physical damage, headlines are full with reports of data breaches, stolen Protected Health Information, ransom stories and IT system breaches. With its growing popularity, Drupal has become a perfect target for automated attacks. The recent SA-CORE-2014-005 vulnerability has demonstrated that hackers have learnt how to take advantage of Drupal’s functionality to infect a site and go unnoticed.

Site builders and site maintainers have a large role to play in preventing these kinds of disasters. Security doesn’t have to be a pain to implement and plan for. The primary goal of this session is to give people a solid basis in the most common security issues so they can quickly identify those security issues. From there, we'll move into some other common pain-points of site builders like frequently made mistakes, modules to enhance security, and evaluating contributed module quality.

Key points:

  • Security outside Drupal: safe computing
  • What to do about weak passwords
  • Can Drupal protect against DDoS attacks?
  • How can the Drupal community help you to achieve optimal security
  • Configuration mistakes to that make you vulnerable, and ways to avoid them
  • The single most important security element: fast updates
  • Developer cheat sheet: protect your code against XSS, SQLi and CSRF
  • Security improvements in Drupal 7 and Drupal 8

This session will be heavily inspired by this session presented at DrupalCon Austin.

Session Track

Site Building

Experience Level


Drupal Version