Security

The Drupal Security Team has rescheduled the upcoming core security release window to November 12, 2025, to avoid overlap with DrupalCon events. No critical vulnerabilities are involved, and no release is guaranteed. ...more

A DrupalSouth article explores the perception of open source as risky and shows how Drupal’s security practices challenge that view. With a global team, predictable advisories, and secure defaults, Drupal proves that open source can be both transparent and resilient. ...more

Container security in production demands more than convenience – it demands vigilance. From image vulnerability scanning and strict Kubernetes policies to real‑time runtime monitoring, this post outlines the essentials tools and practices every team should adopt to protect their infrastructure. Ignore them at your peril. ...more

The InfoSec Tribune breaks down Drupalgeddon 2, a critical RCE vulnerability in Drupal 7 and 8. Learn how one insecure function led to global exploitation, millions in damages, and enduring lessons for web security. ...more

A recent supply chain attack on NPM packages exploited maintainer accounts to publish trojan-injected updates. The Drupal Security Team reports that Drupal itself is unaffected but advises site owners to audit third-party dependencies. ...more

Ensure PCI DSS v4.0 compliance on your Drupal Commerce site using a Content Security Policy (CSP). Learn how CSP headers and the Security Kit module help protect payment pages from client-side threats like XSS and unauthorised scripts. ...more

Lullabot’s David Burns reveals how a state government platform transformed its Drupal maintenance with automation. Using Renovate and continuous updates, the team slashed module update work, reduced patch debt by 68%, improved security, and freed developers to focus on high-value projects — setting a new standard for efficient Drupal site management. ...more

Alex Lyzo shares a hands-on guide to securing Drupal sites—from update routines to login protection and role audits. Learn which modules to use, what mistakes to avoid, and how to layer your defenses effectively. ...more

Is your enterprise website ready for 2025’s compliance standards? From HIPAA-mandated safeguards to ISO 27001 certification, meeting modern data security expectations isn’t optional—it’s a business requirement. This guide breaks down exactly what your site needs to stay secure, avoid penalties, and win trust in a privacy-first world. ...more

INE examines the CVE-2018-7600 Drupalgeddon2 remote code execution vulnerability and its enduring effects on web application security. The article details the Form API sanitization patch, security updates for Drupal 7.58 and 8.5.1, and underscores the ongoing need for timely patch management and secure coding practices. ...more

Modern bots bypass Drupal’s traditional defences, inflating costs and degrading performance. Promet Source explains how Cloudflare WAF, properly deployed, offers scalable protection for public sector Drupal sites. ...more

Jess (xjm) details the handling of “Anemone,” a Drupal core XSS vulnerability fixed in SA-CORE-2025-004. Learn how the Security Team balanced ecosystem impact, sanitized APIs, and coordinated with contrib maintainers. ...more