tl;dr Keep your site modules up-to-date.
Drupal is famous for its security and it also does not miss a chance to boast about it. However, security does not come automatically, steps need to be taken to ensure it. One of the most important of these steps is keeping site modules and core updated. Failing to do so can lead to incidents like the recent Panama papers incident where an outdated WordPress and Drupal site might have played a role in the data leak.
So what does Drupal do for you to make security easier?
The Drupal Security Team was set up in 2005. It has around 40 security experts from all around the globe who communicate through private channels.
When a security issue is discovered in Drupal (let it be a contributed module, a theme or core itself) an issue is created in the security issue tracker. The issue is visible only for a small group of people (usually the security team, the maintainer of the affected module and the reporter of the issue) to prevent the vulnerability to be exploited before a fix is created. When a fix is ready, the security team issues a public Security Advisory that has informations on the affected module, the security risk level and the solution for the issue (which is usually updating the module).
Security issues are reported almost daily to the security team but some of these are non valid. For example, only modules with a stable release (i.e. non-dev/alpha/beta/rc) are considered by the Security Team. Still, 2015 saw 160 security advisories. The most frequent issues are related to XSS.
Security updates are released on Wednesdays. For core that's usually the third Wednesday of the month, for contrib it can be any Wednesday. This does not mean that a security release appears on every Wednesday, only that site administrators should look out for them.
In Drupal 8 there are several security improvements. One of them is Twig autoreplacing which drastically decreases the chances for a piece of code to have a XSS vulnerability. Another source of insecurities, the PHP filter module has been removed from core. Also, the routing system now has support for protection against CSRF attacks by providing tokens to urls.
After learning what Drupal does for security, it's time to see what site administrators should make sure of. Keeping the following 3 things in mind you as site admin should be fine for 95% of the cases. (These are only the Drupal-specific aspects, we won't go into general security principles.)
- To make sure you have an up-to-date site follow at least one of the security news channels. There are some RSS feeds, a twitter account and also a newsletter. Update your site as soon as a security update is released.
- There are several modules improving security or helping in finding security issues. A few of these are Security review, Paranoia and Two factor authentication.
- A Drupal-specific hosting provider can also have its benefits. For example, in the case of the infamous 2014 Drupalgeddon security advisory Pantheon and Acquia Cloud sites were protected against attacks without any action taken by the site administrator.
If you have not done it yet go and check your module update status page right now.
This blog post is heavily based on the Lullabot podcast on Drupal Security.
For further links we recommend the Barcelona presentation of scor and klausi .