Back in 2011 I was looking for a CMS to replace Joomla to build our websites so I chose Drupal mainly for its flexibility (fields, roles & permissions, views), its solidity (performance & scalability) and its community professionalism (their motto was "come for the code, stay for the community"). I soon realized that another asset was itssecurity.
What does a secure website mean?
When we talk about system security, we mean that a website or online store cannot be hacked. Someone cannot get access to any of its features.
The most common insecure website cases are when a third person can change or delete a website's content or can get access to users personal data.
There are other, less known, cases too. An admin user can get roles that have not been assigned to him. For example, a blog author gains access to order management.
Who wants to hack my website?
A common question is "who wants to hack my website?. "There are millions of websites". If you are not the Department of State or another high-profile organization, it is unlikely to be the target. But this usually happens when we have a massive attack where hackers use automations to look for security holes that will give them unauthorized access.
The reason behind this is that web frauds use servers they don't own in order to send spam and phishing email, insert cryptocurrency mining scripts, etc.
What if my website is hacked?
A website that is hacked through a massive attack is not visible at once, as hackers want to control the system as much as they can. It can lead to problems like Google ban, report to authorities and even financial losses.
In case your hacked site is not part of a massive attack, something different is going on. Usually, this attack is because of defamation and financial damage.
Is Drupal safer than Joomla, WordPress or other CMS's?
The answer is "Yes"! Many websites that we host have been hacked dozens of times. These websites use Joomla, WordPress or other CMS but never Drupal.
This means that Drupal cannot be hacked?No! All CMS can be hacked. Even Drupal websites have been hacked. But not to any of ours (yet).
In Drupal there is a strict security process from modules that are for use to the way that security patches are found and announced.
Drupal is checked for its security. NASA and other USA organization websites are usually targeted, are based on Drupal.
Drupageddon 3
Every week security patches are scanned and corrected in Drupal. Since 2011, three times critical patches have been found. One of them was yesterday 03/28/2018. These three patches were called "Drupageddon" due to their importance. In all these cases there was a procedure that was followed. First, the security hole closed and then it was released to public.
Yesterday's security hole was detected by Jasper Mattsson of Druid, a company that checks and detects Drupal security issues. He announced it to Drupal security team, they created the patch and notified the community about the time the patch would be released.
It is critical to fix the hole in 8 hours. If you don't, you should consider your website as hacked.
What Netstudio does about the security of its websites?
Since 2011, we have supported many lead generation websites along with e-commerce stores and apps. Most of them are hosted on our servers. Even though we have multiple backups and have multiple security features in Drupageddon cases we should be absolutely careful.
We saved the date and time the patch would be released. We created and tested automated scripts that would immediately patch the hole on our 220 websites in all our servers and every Drupal release. It would be impossible to complete this task in 8 hours if we had to do it manually.
Our effort was successful thanks to our expertise and especially Mike's. He managed to complete the task in 39 minutes!
What should I do to keep my website secure?
Whatever your CMS is, follow the below steps:
- Be sure that the server your site is hosted takes daily backups and that you can bring them back quick and easy.
- Be sure that you keep more than 1 backup edition. Take at least weekly and monthly backup.
- Keep a backup copy locally on your computer.
- Make all the updates.
- Talk to the people who support your website and ask about the security policies they follow.
- In case you need help, you can contact us.
By Yannis
CEO & Founder
Published on 29 Mar 2018