Pixeldust Drupal Security AUDITS
Pixeldust Provides Best-Practices Driven Drupal Audits & Remediation
Pixeldust Drupal Security Audit
Our Drupal site audit provides actionable insights for quantifiable improvements.
Drupal Security Audits
While every site has unique configurations and content, they all have the same architectural requirements. Using static program analysis, it is possible for Pixeldust to provide recommendations that fit the majority of use-cases on any implementation. Our Drupal security audit is non-intrusive. No installation or configuration is required.
Pixeldust Drupal Security Audit includes a 14-point comprehensive report that identifies common problems. The final audit report is delivered in an organized, color-coded html document that outlines actionable items with priority designations. We can also provide estimates to have critical issues remediated.
Why a Drupal site audit?
- Security – Discover weaknesses in your Drupal implementation.
- Performance – Identify areas where performance improvements can be made.
- Site Acquisition – Do this before you buy a business as part of due diligence.
- Implementation Verification – Check your site before it goes live to avoid critical issues that may appear under load.
- Vendor Management – Make sure your current developer is doing a good job.
- Support Transition – When moving to a new developer both sides need to know what they are working with.
Your Drupal security audit report is delivered within 3-5 days and includes analysis of the following areas:
- Best Practices – We provide structural recommendations to keep the site in Drupal best development practices.
- Block – Is caching enabled for all blocks?
- Cache – What are the optimal Drupal caching settings?
- Codebase – What is the size of the site; size and count of managed files?
- Content – Are there unused content types, and vocabularies?
- Cron – Is the Drupal built-in cron configured correctly?
- Database – We check for issues in collation, engine, row counts, and size.
- Extensions – Total count, development modules, duplicate modules, missing modules.
- Insights – Analyze site with Google PageSpeed Insights.
- Security – Checks for common security exploits, such as malicious menu router items.
- Status – We check for failures in Drupal’s built-in status report
- Users – blocked user #1, number of normal and blocked users, list of roles
- Views – Are the caching settings on views correct?
- Watchdog – We analyze Watchdog for 404 error count, age, number of entries, enabled, and PHP errors.
- Remediation – We provide estimates for fixing key issues.
Joe Doyle, Director of Digital Strategy, HCB Health
The Pixeldust team are flexible and provide great service. We’ve hired them several times.
Tyler Harmeyer, VP of IT Operations, My Fit Foods
Pixeldust always exceeds our expectations. Day or night, we can count on Pixeldust to support our eCommerce system.
Philip Busker, CEO, Mattress Firm
Pixeldust helped us present a progressively competitive front during our recent merger negotiations.
Gaea Connary, Marketing Manager, Convio, Inc.
We were really impressed with Pixeldust’s level of expertise and commitment to the project.
James Scott, Business Manager, Cielo Wind Power, LLC
Pixeldust has always been responsive to our needs. They’ve redesigned our site three times over the past 10 years.
Shawn Rucks, CEO, Deverus
Pixeldust gave us exactly what we wanted and delivered it on time and on budget.
Drupal Support and Maintenance
Pixeldust Provides 24/7, Worry-Free Drupal Support
What to Check When Doing a Drupal Security Audit
Check update status: The current running version of Drupal is available on the status report, as well as by running ‘drush status’ from the site root. “drush pm-list’ will show module statuses as well. If the update module is enabled (which it often isn’t on a production site), the status report will tell you whether Drupal and its modules are up-to-date. You can manually find the current version of Drupal at www.drupal.org/project/drupal
Check status report: The status report is color-coded to show any potential issues. Yellow ‘warning’ rows may just be less-performant versions of PHP libraries or a missing handler for functionality not used on the site. Red rows require attention, such as locking down file permissions or ensuring certain directories don’t execute PHP for security purposes.
Check cron: The status report will tell you the last time cron was run. If it’s been more than 24 hours, cron for the site may not be configured correctly. It’s advisable to check the logs for cron tasks, and perhaps to manually run cron using “drush cron”, to ensure no errors appear during runs.
Check error reports: Reviewing the site’s database logs will show both activities on the site (which can be an indicator of areas to focus on with future updates), as well as technical errors. Filter the logs to PHP errors to see if there are any bugs or code compatibility issues.
Check for unnecessary modules: There are a set number of modules that are typically advisable to disable on production sites.
Run Hacked!: Hacked! should be run on a snapshot of the code as it exists on production, but on a non-production environment. Hacked! is a module that finds any files that may have been edited by malicious parties.
Check for PHP in the database: If you have phpMyAdmin installed, a quick search of the whole database should find any instance where php may be inserted. Typically, you can be assured that PHP isn’t in the database if the PHP filter module is disabled (which it should definitely be).
Common Drupal websites’ issues
Drupal does not stand still — it is constantly evolving. Each update of the Drupal core carries new opportunities. However, not all website owners enjoy this advantage and still use older versions. Among them there are web resources on Drupal 6, which is no longer officially supported. So, upgrading your website to the newest version is the only smart solution. Remember that ignoring updates makes your site easy to attack for hackers.
Custom code quality
It is necessary to create custom modules if you want to add some specific features to your website. When written inefficiently and without using the correct Drupal standards, they can cost you a lot. Free Drupal security audit vulnerabilities may include cross-site scripting (XSS), malicious PHP/ASP code and its injections, remote file inclusion, file disclosure, directory traversal, and many more serious threats. There is also a threat of a SQL injection when a hacker tries to use an application code to access your database content. Then they can create, read, update, alter, or delete data stored in the database. That is why it’s important to entrust only experienced developers with that task. The top priority during our website audit process is to identify and address such problems.
Sometimes we identify a huge amount of unused modules on Drupal websites. Although at first glance having a hundred modules seems to be normal and not necessarily a security risk, it is. Not all of them are good. There are actually some that may slow down your website’s performance and are more likely to contain bugs or security issues. They present a potentially high risk from the perspective of the long-term maintenance. A website audit can help you determine whether you need them in use. These unused modules can be safely deleted by specialists.
You may say that themes don’t introduce a serious threat themselves. There are other holes that are much riskier for your Drupal website. However, in this regard there is a similar situation as in the previous paragraph with unused modules. The number of installed themes can reach into the dozens. If you are not managing Security Advisories within the given timeframe, you are risking security issues. So, be selective when choosing the right theme sets that are suitable for you and your business.
Of course, we faced a number of other various issues as follows: no performance optimizing and caching modules installed on the website, Drupal core caching disabled, unused content types/roles, outdated contrib modules, and more. You’ve probably learned that a proper analysis helps “to lift a veil” from a web resource. As an owner, you should also consider a website audit to prevent problems in the future. Identifying and remedying the above issues will considerably improve your website’s performance. Contact us to get a professional site audit and save your time and money!
Powered by Site Audit | Drupal.org
Google PageSpeed Insights; Security – check for common security exploits, …
Feel free to add vendor specific support, either through a patch or by …