September 9, 2013

Drupal, Security & Apocalyptic Avoidance

So you'€™ve got a shiny new website. It's been built on Drupal, the best Open Source CMS platform on the planet. You can easily manage all the content on your website. It's responsive and works beautifully on all devices. It's so nice not to need your agency, or web shop anymore isn'€™t it - you have the power! But wait! one day you wake up, pour yourself a cup of joe and login to your site to post that press release that needs to go out today... and see this unnerving warning:

Hmm… what do you do now? Should you act on that message? Will something break if you do what it tells you to? Should you ignore it and hope it goes away? If I call my developer is he going to laugh, yell or charge me?

At Fuse we often get businesses coming to us with these very questions. Their agency or web shop used the right tool to build the site, but they neglected to inform them that Drupal has certain needs after their site goes live. Often these needs go unaddressed for months or even years.

Why are security updates important?

While Drupal is considered to be as secure or more secure than it'€™s commercial equivalents, like any other piece of web software or CMS platform it requires maintenance. Hackers are very active in their attempts to find vulnerabilities in all the major web platforms. While Drupal is less targeted than Wordpress (partly due to the sheer number of Wordpress sites out there, and partly due to the relative ease of exploiting Wordpress sites), vulnerabilities are still discovered and reported to the Drupal security team. Drupal core updates are typically released on a monthly basis and include patching security holes identified by the community or audits by the Drupal security team.

If Drupal security updates are not applied with regularity you are opening yourself up to vulnerabilities. These vulnerabilities vary in severity from site to site depending on how Drupal has been configured and how old Drupal core and contributed modules are. Will your site be hacked for sure if you don'€™t update regularly? Well...probably not, but your chances are definitely higher. Think about security updates as doing regular oil changes or checking the brakes on your car.

Common problems with sites we inherit

When we inherit sites built by other developers we come across some common issues. The biggest issues come from sites built by developers that don'€™t specialize in Drupal. Inexperienced Drupal developers will often hack Drupal's core or contributed modules to make Drupal do what they want it to in the fastest way possible. The problem with taking these shortcuts is that it can make security updates difficult to apply without breaking site functionality.

When we are considering whether or not to take on the ongoing maintenance of a site built by another developer or shop, we start by evaluating the integrity and securability of the site. I won'€™t go into our site audit process here as Codi has explained things rather well in his recent post, but one of the first things we need to determine is if there were shortcuts taken in the build that would compromise our ability to keep the site secure. If we can'€™t apply security updates because of Drupal core or contributed module hacks, we will either say no to the work or insist that we remediate the code so that we can keep it secure. This can often be quite time consuming depending on the severity of the hacks.

The long & the short of it is that Drupal is much happier when it hasn'€™t been hacked and stays up to date. But most importantly, you as a website administrator can rest a little easier knowing you are doing everything you can to ensure your site and mission critical data is secure.

Other culprits

We also recognize that Drupal is not the only way that hackers can get in. Server software can often be the culprit. Today's VPS's and shared hosting scenarios give you tonnes of software as part of their offering, but if this software is not kept up to date, your site could be compromised even with all the latest Drupal security updates. The sites we host for clients are run on very stripped down servers (without any extraneous software), kept up to date and tuned specifically for Drupal, thus minimizing the risks associated with server software.

Our approach to Drupal security

It all starts with the build. We don'€™t hack core. We don'€™t hack contrib modules. We do occasionally patch contributed modules, but we do so in a way that does not compromise the securability of the module.

When we launch a site for a client we strongly recommend signing up for a monitoring & security package and insist on it if we are hosting the site. The cost of this varies based on the complexity of the site. Andre's post from a few months back describes in more detail what we do for our clients as part of a monitoring & security package, but essentially we monitor Drupal core and module statuses (with Nagios), apply & test updates in our development environment, remediate any issues that may come up as a result of the update, then deploy & test again on the production server.

It all sounds a bit tedious, but worth it for peace of mind & a better night's sleep. Our clients can focus on creating and managing great content instead of worrying about the integrity of their site.

photo credit: Pascal