by Elliot Christenson on January 10, 2017 - 6:51pm

At myDropWizard, in our quest to make our clients' jobs easier, we provide security and maintenance services for Drupal websites. We support the "just over a year" Drupal 8, the web cornerstone Drupal 7 - and even a ton of Drupal 6 website. To determine our clients' needs, we perform a site audit!

I thought it would be a good idea to take a look back at some of our site audits. We undergo a gamut of automated and manual reviews of our clients' site file and databases. Because we have such a diverse array of clients, I surprisingly only saw a few trends.

Which is actually very good for Drupal!

Most Are Actually Up To Date!

Approximately half of our clients have the latest version or the second most recently released version of Drupal Core and Contrib modules. If you haven't already, and you are still using Drupal 6, you should install the myDropWizard module to help you find needed security updates!

Thinking through this a bit, in some cases, it could be similar to those who hire house cleaners but then go on a cleaning frenzy prior to their arrival. Maybe they feel like they will be judged? That is never the case, and we really just want to help make sure things run smoothly regardless of the initial state of things.

While that means that quite a few sites are not up to date, the diligence in updates should help to make Drupal less of a target. The bad "black hat" hackers and "script kiddies" have plenty of lower hanging fruit to attack. Great drop Drupalers!

PHP in Database (i.e. in nodes)

Things have changed over the past decade online. While it was never a good idea, it was extremely common place to have PHP code stored in a database. It was common to have un-sanatized input all over the place. I think we've all learned from those mistakes. While we've actually come across very few egregious examples of exploitable programming code live on sites we audit, there have been a few sites where non-admin users have that capability.

I really can't think of a good reason why that would be a good idea.

Complex Themes

There are other issues that are riskier, but one thing that has been a bit surprising to me is both the number of themes installed. I would expect one custom theme plus a base theme. There are frequently more than that. While not a security risk, any time there is extra "unused" PHP code floating around a website, it makes me nervous.

Additionally, the page template overrides sometimes number into the dozens. Some of it is a stylistic difference, but I always considered themes to be the job of a designer - making any PHP in a theme a rarity. Designers would largely - in my naive view - utilize CSS and the Drupal web interface.

Modules, Modules, and More Modules

It is routine to have a hundred modules on many of the sites we evaluate. It's not unheard of to have TWO hundred. That in itself is not necessarily a security risk. However, for a typical Drupal site maintainer, just keeping up on updates and issues would seem daunting.

On top of that, there is of course the ability to create custom modules that makes Drupal reign supreme in flexibility. What surprises me is the number of custom modules at times.

None of that is a security hazard. However, it is a maintenance nightmare.

What was really surprising from the module front is the custom code PLUS modified "contrib" modules PLUS an abnormally large number of contrib modules.

Some of our clients do have very complex needs.

Fuzzy Math

My main take away is that many sites are unnecessarily complex more than unmaintained or having overt security issues. Some of that is simply from there being "more than one way to do it" and others are no doubt "limited time, limited budget" issues. I understand, but I've been surprised at the level and frequency.

In a future post, I think I'll produce more hard facts and statistics about these sites. It was difficult to abstract those findings into meaningful trends while maintaining client privacy.

Want to read more articles like this?


Subscribe to the blog and recieve e-mail updates when new articles are published!

Add comment