Is Drupal Secure?


Drupal is employed by thousands of high profile web sites and is put thorough security testing both by the security experts and Drupal community around the world. Drupal’s core code has been confirmed to avoid frequent security susceptibilities such as those described by the Open Web Application Security Project (OWASP).

Topic: Software
Answer this Question


2 total
Vote Up (7)

Security track record

"Composed of a set of respected community volunteers, and one of the first dedicated Security Teams in an open source CMS project, the Drupal Security Team works to resolve reported security issues for code hosted on, to review code for vulnerabilities, and to provide security expertise and assistance to contributors.

The Drupal community has an excellent track record of finding and fixing vulnerabilities in community-created code.

The number of security advisories shows consistent and reliable activity within the code contributors and the security team who guides the process of fixing and releasing security patches. Some interpret these numbers and say "a large number of vulnerabilities must mean insecure code." That analysis ignores the reality that all code has bugs (including security bugs) and the most important thing is an active group of coders and researchers finding and fixing bugs."

Vote Up (7)

I would say that Drupal is as secure as most other CMS options, and more so than some. There are always going to be vulnerabilities and potential exploits, of course, just as with any software. Probably the two main security concerns that come to mind are XXS and SQL injection. Not using untrusted data in database queries without escape it can minimize the risk of SQL injection. XXS is a more common concern, but it too can be minimized. Simply limiting HTML permissions goes a long way towards addressing cross site scripting.

Ask a question

Join Now or Sign In to ask a question.
Jumping into the growing NoSQL market, Microsoft has debuted a simple data store through the Azure cloud hosting service.
Most people start thinking about retirement when they turn 70, if they haven't already called it a career. Not Oracle CEO Larry Ellison, who passed that milestone Sunday.
With a Microsoft-mandated deadline a little more than two months away, computer makers are still selling PCs equipped with Windows 7 Home Premium.
Our first glimpse of Windows 9 may be right around the corner, as the new rapid-fire Microsoft scrambles to put the stigma of Windows 8's disastrous launch in the rear view mirror.
Citrix has updated its virtual desktop and appliance software with a goal of alleviating one of the biggest problems that come with a VDI deployment: Storage.
Betcha don't know all these nifty tricks and time-saving tips to boost your productivity.
With a single massive power burst, storage media that suddenly heads south, or interaction with a light-fingered ne'er-do-well, the technology your student depends on can vanish. Take these five tips to heart, however, and the loss of a device or data need not be catastrophic.
You can get browser extensions to stop advertisers from tracking you, but until now there hasn't been one that can prevent you from getting suckered by hucksters on news sites.
The R programming language is quickly gaining popular ground against the traditional statistics packages such as SPSS, SAS and MATLAB, at least according to one data statistician who teaches the language.
Online test grants LFCS and LFCE certifications.
Join us: