Is Drupal safe?


It’s no secret we’re big supporters of Drupal, a development modular framework with an integrated content management system. However, we’ve noticed that there are several doubts about Drupal’s stability and security, given that it’s an open-source system, which makes some people apprehensive.

As such, we decided that it was time to put an end to your doubts and clarify, once and for all, the security (or lack thereof) of Drupal’s framework. By the end of this article you should know everything you need about this- and if you still have any doubts, you can always contact us for further clarification.

Is open-source software safe?

Open-source software is a software whose source code- the original code written by the developers what will then be compiled to be readable by computer, thus making it software- is publicly available.

The big difference of open-source software is that anyone can contribute to its development, unlike closed-source software, in which the original team of programmers is the one who handles all the software’s development. Therefore, open-source software is more interactive, being constantly under development by several users.

With that in mind, it’s understandable that you have some suspicions of this type of software: if anyone can modify the code, does this not mean that there are greater risks?

The truth is that open-source software is as safe- sometimes even safer- than other types of software. There are several reasons for this, but one of the main ones is the fact that the community developed around the creation of this software is actively searching for vulnerabilities in its code and correcting them. This means that while “closed” software sometimes has uncorrected vulnerabilities that the responsible team, due to lapse or lack of time, doesn’t correct, open-source software is constantly being viewed, reviewed and analyzed by several people. More importantly, as vulnerabilities are exposed, they are more easily detected by the community and quickly corrected.

On the other hand, to believe that a closed system is inherently safer simply because the code isn’t visible is a common mistake, known as “security through obscurity”- is the same that assuming that having hidden money under the mattress, where no one knows where it is, makes it more protected than in a bank, where, even though several people know where it is, there are several security measures so that only authorized people can access it. What really brings security to any system are its protections, so the source code being publicly available doesn’t make it any less protected.

What are Drupal’s security measures?

We’ve established that open-source software is safe, but what about Drupal specifically? Since we realize that the security measures are what really makes the difference, which one does Drupal put into practice?

In order to ensure platform security, Drupal has a security team that constantly works with the community to detect and correct any vulnerabilities in the framework, as well as providing extensive documentation on how to create a secure Drupal website. As a rule, this team focuses on supporting the latest version of Drupal and the previous version- currently version 8.x and 7.x, respectively-, releasing and announcing new security updates almost monthly.

In addition to vulnerabilities in the infrastructure itself, this team also focuses on detecting and helps to correct security breaches in the various modules and projects. All this continuous work results in Drupal meeting the requirements of the Open Web Application Security Project (OWASP), a nonprofit organization focused on improving the software’s security, that created a guide of the top 10 security risks, to help guide the development of online software security.

With this, Drupal has several working measures to ensure that not only the framework, but all the projects as well, are always properly protected against attacks- in fact, 90% of the security flaws detected in Drupal websites are due to themes or modules developed by less experienced teams in their own websites, which is why you should only trust an experienced in Drupal team to develop and update your platform.

It’s also important to note that these security updates are not automatic, that is, they must be installed manually, and sometimes they create conflicts with some outdated modules. This is another reason why you need an experienced and fully dedicated team in your project, to ensure that you’re always safe and functioning at 100%.

In addition to this continuous protection, the framework itself is structured with the user’s safety in mind, offering various features such as advanced password encryption (which can still be improved with modules developed thinking about the protection of authentication), perfected access controls, a variety of options for database encryption that allows you to meet the requirements of PCI, HIPPA and other privacy requirements, and a functionality that is installed from the root to report security flaws.


The definitive answer to this article’s title is: yes, Drupal is safe, provided that you have a team that ensures the system’s always up to date with the new implementation of Drupal’s security team, and whose custom code is professional to the point of not creating new security flaws.

If you’re still not convinced that Drupal is safe, here’s a last fact that can make you change your mind: even the White House chose Drupal, in 2009, precisely due to its safety, and many other large entities rely on it- to name a few, UNESCO, the American Red Cross, NBC, Harvard and Oxford Universities, Twitter and NBA, among many others. If it was safe enough for Barack Obama, why wouldn’t it be for you?