5 Tips to Manage Security in the Wake of Drupalgeddon

Whether it drizzles or pours, it’s good to be carrying an umbrella.

Back in 2014, Drupalgeddon rained cats and dogs.

Drupal released a critical security update on October 15, 2014 with express directions to address the vulnerability within seven hours of the release. Unfortunately, a large number of system administrators didn’t grab their umbrellas, and—to stretch this metaphor to its limit—they got soaked. It was a wake-up call, to say the least.

So four years later, when Drupal released a similarly critical security update that many people called Drupalgeddon 2.0, the admin community was prepared. At Sandstorm^®, we started planning right after the announcement, and when the update was released, we secured more than 30 sites in a single afternoon.

But we’ve always understood the importance of taking security updates seriously, whether it’s 2014 or 2018. Because staying on top of these updates is just one easy way to keep your systems safe. And as recent hacks and data breaches like those from Saks and Lord & Taylor continue to show, your safety is under constant attack.

So what else can you do to keep your site as safe as possible?

1. Move your site to HTTPS

More than half of internet traffic is now encrypted, which is great news. Having your site use HTTPS (SSL/TLS) helps protect against session hijack attacks, because all traffic between your server and the client is encrypted.

This is such a boon to security that Google has been talking about penalizing sites that don't use HTTPS. Most notably, the Google Chrome browser will start indicating sites without HTTPS as insecure, starting in July 2018. Just one more reason to get a move on.

2. Take charge of your passwords and access

A major line of defense for any infrastructure is good management of credentials. As individuals and institutions, we now have a number of tools at our disposal, such as password managers, policies, etc.

But what is often forgotten is to consistently and comprehensively review who has access to your systems. As a result, old employees still have access to sites and accounts, creating vulnerabilities that are just waiting to happen.

3. Keep your server and applications up to date

When security updates are released, they represent known vulnerabilities. It’s imperative to apply the updates immediately, or risk leaving a door open for malicious activity.

Ensure that your server is applying updates on a regular basis and that your web applications are updating any relevant frameworks or libraries. An ounce of prevention is much more cost efficient than trying to recover from a compromised server or application.

4. Ensure you have frequent backups

If something ever does happen, you want to be able to roll back to a safe state. That’s why it’s so critical to make sure your servers and your application have automated backups.

Most hosts offer backup services for a small additional fee, and you’ll want to ensure that these are configured and working.

5. Proactive threat management

Be proactive. Start a conversation with your host provider about threat management, and ask about automated systems that look for irregular traffic. Ask your web vendor about how code is managed on the server, and spend the time to find a solution that’s right for your organization.

Still not sure how you can stay protected? Sandstorm can help! Feel free to drop us a line, so we can help ensure your site is secure.