Building a Fortress: How an Open-Source CMS Like Drupal Contributes to Website Security

May 29 2023

A single data breach can lead to millions of dollars in damages, a permanent loss of stakeholder trust, and significant reputational damage. So if you’re in the market for a new CMS, it’s imperative to select one that will help shield your organization from unwanted access to your information.

However, the reality is there’s more to maintaining website security than putting a solid CMS in place. Yes, your colleagues in IT/IS, and compliance will need to see that your CMS checks all the right boxes. And there are certainly some CMSs that employ more stringent security protocols than others. 

But to make your website as secure as possible, you also need to look at whether your CMS is part of a larger security ecosystem. Here’s an overview of the key areas to consider.

How Secure is a Proprietary vs. Open-Source CMS?

Both proprietary and open-source CMSs can be secure if they’re properly developed, carefully maintained, and safely utilized. But there are significant differences in their approach to shoring up code. 

With a proprietary CMS (like Adobe Experience Manager or Squarespace), the source code is closed and fully controlled by the company that owns the product. As such, the company is solely responsible for testing the code, performing quality control, and conducting security audits. They’re also the only ones who can fix vulnerabilities and provide security updates and patches on an ongoing basis. 

That means the only people evaluating closed source code are those employed by the company releasing the CMS. On the one hand, that may make it harder for hackers to wreak havoc on the code itself. But on the other hand, fewer people are looking at the code, and it can therefore take longer to identify and address potential weaknesses.

By contrast, open-source CMSs like Drupal are developed and maintained by a community of developers who collaborate to create and improve the software. The code is transparent and scrutable by anyone, which means its security is reviewed extensively and frequently. And since developers worldwide can inspect, test, and try to break the code at any time, they can quickly surface and resolve security risks and threats.

In short, open-source CMSs are part of a strong network of professionals who all have a vested interest in making the code as indestructible as it can be. 

Drupal’s Multi-Faceted Approach to Website Security

Drupal’s approach to security aligns with the core principles of the National Institute of Standards and Technology (NIST) cybersecurity framework. This framework includes proactive and reactive measures to identify and respond to security threats. 

Drupal also follows guidelines laid out by the Open Worldwide Application Security Project® (OWASP), a nonprofit foundation that works to improve software security.

NIST framework

These proven security-related guidelines and best practices are evident in the way Drupal:

  • Creates systems that detect intruder attempts and block login access
  • Publishes coding best practices to help developers verify that the code they create is secure 
  • Offers highly customizable roles and permissions to allow organizations to control who has access to which types of data
  • Utilizes input validation and output filtering to help prevent common security vulnerabilities like cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF)

One of the benefits of an open-source CMS like Drupal is the ability to customize and extend its functionality through third-party plugins and themes. However, these elements can introduce security risks if they’re not created properly.

That’s one reason why, in addition to thousands of developers who can access and review code independently, there’s a dedicated Drupal Security Team. This group of volunteer experts proactively scours core Drupal code — as well as many contributed modules and themes — to identify and address security vulnerabilities. They also issue advisories for contributed elements that are problematic and give their seal of approval to those they’ve checked and deem safe. 

If you want to pay for added protection, Drupal Steward is a web application firewall that automatically protects your site when new security releases are announced, even if you’re not able to update your site with the new security patch right away. 

Other Factors That Contribute To (Or Detract From) Website Security

As the previous sections illustrate, open-source CMSs like Drupal are closely scrutinized. And Drupal is committed to the principle of continuous (and rigorous) improvement. As a result, you can be quite confident in the level of security an open-source CMS like Drupal offers. 

But several additional factors also play a role in strengthening or undermining your website’s ultimate security. It’s important to consider each of the following areas carefully. 

Where Your Site is Hosted

Your website is only as secure as the provider on which it’s hosted. And whether you host it yourself or invest in a managed hosting option, you’ll need to closely examine the specifications, processes, and protocols the host uses to keep your website safe. 

In this context, security is about more than protecting access to your data. It's also about making sure that your service is reliable and that the right people can access information when they need to. Therefore, you’ll want to look into your hosting provider’s ability to guarantee specific levels of uptime. It’s also critical to assess their response times when problems do arise.

It’s worth noting that proprietary CMSs are often hosted by the company creating the product rather than by a third party. If you choose a proprietary solution, you may not have a say in how and where your CMS is hosted. So make sure to ask specific questions about the security measures the provider offers. 

The Roles and Permissions You Grant Your Users

One of the most effective ways to protect your data is to maintain strict control of who is able to access various types of data, content, and functionalities. By granting access based on specific permissions that ladder up to particular roles, you can reduce the risk that users will engage in unauthorized activities (either on purpose or by accident).

This is the principle of least privilege, and it’s a critical component of many cybersecurity frameworks, including NIST.

For example, you might grant some content editors access to a handful of pages that pertain directly to their roles. Content editors within the marketing department might have access to update any type of web content at any time. And a select few administrators might be able to change anything and everything on the website — from navigation to design to formatting.

Using roles and permissions wisely is essential to creating a secure web environment.

The Types of Spam Blockers and Filters You Use

Spam blockers and filters like Drupal’s Honeypot module help identify and block spam messages, comments, or submissions that may contain malicious links, malware, or phishing attempts. By preventing your users from seeing and accessing nefarious content, these tools reduce the impact of spambots and other bad actors. 

Your Organization’s Security Protocols

Another critical component of website security is how well your organization creates and enforces user-based privacy protection. Do you require users to change their passwords frequently? Have you rolled out two-factor authentication? Are your users choosing strong passwords? And do you have stringent mobile security in place (e.g. requiring users to add a passcode to their phone?)

All of these tactics play a role in creating a holistic digital ecosystem focused on security.

An Open-Source CMS Is as Secure as You Make It

Drupal and other open-source CMSs are secure in and of themselves. And if you’re shopping for a CMS that takes security seriously, Drupal is a wise choice. 

But the truth is most security breaches don’t happen as a result of the CMS. They occur because of lax processes and protocols. And that means you need to look at your digital experience holistically to create an environment that’s truly safe and secure.

A good web development partner like ImageX knows how to build a site that’s secure from the ground up. But more than that, we can help you think through all the additional factors that will either strengthen or weaken your digital security ecosystem. Let’s talk

Learn from us
Sign up and receive our monthly insights directly in your inbox!

Subcribe to newsletter (no spam)