Free Drupal Security Scanner

Detect Drupalgeddon vulnerabilities, outdated modules, admin exposure, and configuration issues in 60 seconds. No signup required.

Scan Your Drupal Site Now

Our AI-powered scanner detects Drupal-specific vulnerabilities including Drupalgeddon, module flaws, and misconfigurations.

Initializing...

Ready to scan.

Drupalgeddon Detection

Checks for SA-CORE-2014-005, CVE-2018-7600 (Drupalgeddon2), and CVE-2018-7602 (Drupalgeddon3) — critical RCE vulnerabilities that affected millions of Drupal sites.

Module Vulnerability Scan

Identifies outdated and vulnerable contributed modules. Checks for known CVEs in popular modules like Views, Webform, Paragraphs, and Token.

Access Control Audit

Checks for exposed /admin, /user/login, /user/register paths. Verifies that user registration is properly restricted and admin paths are protected.

Configuration Security

Verifies settings.php protection, file upload directory permissions, PHP execution restrictions, and Drupal-specific security settings.

Security Headers & SSL

Validates CSP, HSTS, X-Frame-Options, and other headers. Checks SSL/TLS configuration, certificate validity, and mixed content issues.

Email & DNS Security

Validates SPF, DKIM, and DMARC records. Critical for Drupal sites sending user notifications, password resets, and form submissions.

Common Drupal Vulnerabilities

Drupal powers approximately 1.3% of all websites, including many government, enterprise, and university sites. Its security track record is strong, but critical vulnerabilities have had massive impact:

1. Drupalgeddon Series

The most infamous Drupal vulnerabilities:

Drupalgeddon (2014) — SQL injection in core. Automated attacks began within 7 hours of disclosure. Sites not patched within that window were likely compromised.
Drupalgeddon2 (2018) — Remote code execution via AJAX API. Allowed complete server takeover without authentication.
Drupalgeddon3 (2018) — Another RCE vulnerability discovered shortly after Drupalgeddon2.

2. Exposed Configuration Files

Drupal's settings.php contains database credentials. If web server misconfiguration allows direct access, attackers gain full database access.

# Protect settings.php in .htaccess
<Files "settings.php">
  Require all denied
</Files>

# Set correct permissions
chmod 444 sites/default/settings.php
chmod 555 sites/default

3. User Registration Abuse

Default Drupal installations may allow user registration. Attackers create accounts to exploit authenticated-only vulnerabilities or spam the site.

4. Contributed Module Vulnerabilities

While Drupal core is well-audited, contributed modules vary in quality. Always check the Drupal Security Advisories page and subscribe to email alerts.

Drupal Hardening Checklist

Update Drupal core to the latest security release
Update all contributed modules and themes
Remove unused modules and themes completely
Set settings.php to read-only (chmod 444)
Disable PHP execution in sites/default/files
Restrict user registration (admin approval or disabled)
Enable two-factor authentication for admin accounts
Configure security headers via .htaccess or web server
Set up SPF, DKIM, and DMARC for email security
Use the Security Review module for ongoing auditing
Implement a Web Application Firewall (WAF)
Schedule regular backups and security scans

Related guides:

Frequently Asked Questions

What is Drupalgeddon and is my site affected?

Drupalgeddon refers to critical Drupal vulnerabilities from 2014 and 2018 (SQL injection and remote code execution). If your Drupal site hasn't been updated since before April 2018, it is almost certainly compromised. Update immediately.

Is Drupal more secure than WordPress?

Drupal has a dedicated security team and strong core security with granular access controls and built-in input sanitization. However, it still requires proper maintenance, updates, and configuration to remain secure.

How do I secure my Drupal site?

Keep core and modules updated, restrict /admin access, enable 2FA, set correct file permissions (444 for settings.php), configure security headers, disable PHP in upload directories, and run regular security scans.

Related Security Guides

✅