There are two primary elements to maintaining a secure Drupal installation: ensuring that your application-specific configuration and code are appropriate and follow best practices, and keeping Drupal core and any modules or themes you've downloaded from up to date.

Incorrect use of core APIs and individual site misconfiguration are the cause of most vulnerabilities and weaknesses. Understanding possible attack vectors, keeping up to date with current best practices, and taking the time to evaluate and understand your unique Drupal installation will go a long ways towards helping you maintain a secure site.

Example tasks

  • Understand how to assign roles and permissions in a secure way
  • Configure text formats with security in mind
  • Use core APIs to validate user input and perform other security best practices


The basic tenets of maintaining a secure site are pretty consistent. Keep track of updates, know how to use APIs properly, and how to write secure code. Most tutorials either provide a broad overview of the types of issues to be aware of, in which case they are likely to remain evergreen. Or they dive deep into a particular problem and related solution, in which case their helpfulness will depend on your use case. Regarding security in Drupal 8, while there are many improvements related to security in this release, it's still quite possible to make your Drupal site insecure, so it remains important to understand security best practices and stay up-to-date with Drupal security updates.

Drupalize.Me resources


More Guides

We have guides on many Drupal skills and topics.

Explore guides

External resources

We suggest you follow @drupalsecurity on Twitter and/or use one or more other methods to get notified of security updates to Drupal core and contributed code. Learn more about the available options:

Additional resources related to security:

  • Is Drupal Secure? (

    • Provides useful context and additional information for evaluating Drupal's security and being able to answer the question, "Is Drupal secure?"
  • Security in Drupal 8 (

    • Guide with some tips for writing secure code and common configuration gotchas.
  • Learn How to Keep Drupal 8 Safe and Secure (

    • This series of videos walks through security announcements, common configuration gotchas, and other Drupal-specific security concerns.
  • Sanitization functions (

    • A list of utility classes and functions provided by Drupal core to assist with writing secure code. Read through this list at least once to familiarize yourself with available options.
  • Cracking Drupal (

    • This presentation provides a great overview of security issues in Drupal and PHP applications in general. Covers common mistakes developers make and how to avoid them, as well as modules that can help improve a site's security.
  • Writing Secure Code (Drupal 7) (

    • This guide on Drupal 7 is geared toward PHP developers writing secure code in Drupal 7 applications.
  • How to write insecure Drupal 8 code (

    • Most Drupal security resources exist to help users write secure code - but how do we know what insecure code looks like? This presentation covers the most common types of Drupal security vulnerabilities with real-world examples of vulnerable code.