Drupal Website Security Audit

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Development and maintenance of all types of websites:

Informational websites or web applications

Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators

E-commerce websites or web applications

Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers

Business process management web applications

CRM systems, ERP systems, corporate portals, production management systems, information parsers

Electronic service websites or web applications

Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services

Showing 1 of 1 servicesAll 2065 services

Drupal Website Security Audit

Medium

~3-5 business days

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

Development of a web application for FEEDME
1161
Development of an online store for the company FURNORO
1041
Development of a web application for Enviok
822
CRM development for Chasseurs
847
Website development for SBH Partners
999
Website development for Red Pear
451

Show more works

Drupal Site Security Audit

Drupal historically has a good security reputation — dedicated Security Team, Security Advisory (SA) system, regular patches. Nevertheless, outdated modules, incorrect configuration, and custom code create vulnerabilities.

Audit Tools

# Check security updates
drush pm:security

# Detailed list of vulnerable packages
composer audit

# Drupal Security Scanner (external)
# https://www.drupal.org/security/advisories

Checklist

Core and Modules:

# Are all security updates applied?
drush pm:security --format=table

# PHP version
php -v  # minimum 8.1, recommended 8.3

File Access Rights:

# settings.php should be read-only
stat web/sites/default/settings.php
# 444 or 400 — correct
# 644 or 755 — too open

# Files directory
find web/sites/default/files -name "*.php" -type f
# PHP files in /files — sign of compromise

# Directories with correct permissions
find web -type d -perm /o+w -not -path "*/\.*"

settings.php Audit:

// Should be:
$settings['hash_salt'] = 'long-random-string';  // unique for each site
$config['system.logging']['error_level'] = 'hide';     // don't show errors
$settings['trusted_host_patterns'] = [                 // list of allowed hosts
    '^yourdomain\.com$',
    '^www\.yourdomain\.com$',
];

// Should not be:
// $settings['rebuild_access'] = TRUE;  // development only
// $config['system.performance']['cache']['page']['max_age'] = 0;  // not in production

Trusted Host Patterns — critical. Without this setting, site is vulnerable to Host header injection attacks.

Users and Roles:

# List administrators
drush sql:query "SELECT name, mail FROM users u JOIN user__roles ur ON u.uid = ur.entity_id WHERE ur.roles_target_id = 'administrator'"

# Check anonymous permissions
drush role:list --filter=anonymous

Security Configuration:

# Is Security Review enabled?
composer require drupal/security_review
drush en security_review -y
drush secrev --store  # run check

Security Review checks: file permissions, role permissions, critical PHP settings, input filters, private files.

Custom Code Analysis

XSS Vulnerabilities:

# Search for unsafe output in Twig
grep -r "raw" web/themes/custom/ web/modules/custom/
# {{ var | raw }} without prior sanitization — vulnerable

# In PHP
grep -r "print_r\(\$_\|echo \$_\|print \$_" web/modules/custom/

SQL Injection:

// Unsafe (do not do):
$result = \Drupal::database()->query("SELECT * FROM node WHERE title = '" . $input . "'");

// Correct:
$result = \Drupal::database()->query(
    "SELECT * FROM node WHERE title = :title",
    [':title' => $input]
);

CSRF Protection:

// All forms must use FormAPI or explicit token validation
$form['#token'] = 'my_operation';

// Or in custom controller
$this->csrfToken->validate($token, 'my-route');

File Upload:

# Allowed file extensions in fields
drush config:get field.field.node.article.field_attachment | grep "file_extensions"
# Never allow: php, phtml, phar, js, html

Security Headers

// services.yml or custom EventSubscriber
class SecurityHeadersSubscriber implements EventSubscriberInterface {
    public function onResponse(ResponseEvent $event): void {
        $response = $event->getResponse();
        $response->headers->set('X-Content-Type-Options', 'nosniff');
        $response->headers->set('X-Frame-Options', 'SAMEORIGIN');
        $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
        $response->headers->set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
    }
}

Private Files

// settings.php: store private files outside web root
$settings['file_private_path'] = '/var/private/drupal-files';

Documents accessible only to authorized users — never in sites/default/files (public directory).

Timeline

Drupal security audit with report — 1–2 days. Remediation of critical vulnerabilities — additional 1–3 days.