Site Building

Security for Drupal 8, 9, and 10

There are two primary elements to maintaining a secure Drupal installation: ensuring that your application-specific configuration and code are appropriate and follow best practices, and keeping Drupal core and any modules or themes you’ve downloaded from up-to-date.

Incorrect use of core APIs and individual site misconfiguration are the cause of most vulnerabilities and weaknesses. Understanding possible attack vectors, keeping up to date with current best practices, and taking the time to evaluate and understand your unique Drupal installation will go a long ways towards helping you maintain a secure site.

Example tasks

  • Understand how to assign roles and permissions in a secure way
  • Configure text formats with security in mind
  • Use core APIs to validate user input and perform other security best practices


The basic tenets of maintaining a secure site are pretty consistent. Keep track of updates, know how to use APIs properly, and how to write secure code. Most tutorials either provide a broad overview of the types of issues to be aware of, in which case they are likely to remain evergreen. Or they dive deep into a particular problem and related solution, in which case their helpfulness will depend on your use case. Regarding security in Drupal today, while there are many improvements related to security in this release, it's still quite possible to make your Drupal site insecure, so it remains important to understand security best practices and stay up-to-date with Drupal security updates.

Drupalize.Me resources

More information

Overview of security updates, how bugs are handled, and non-security updates.

More information

How to secure a site by staying informed about the latest security updates.

More information

The process for keeping Drupal core and contributed modules and themes up to date with the latest security and minor version releases.

Drupal 8, 9, and 10
More information

In Drupal’s core library there are a number of utility functions and classes that, as a module developer, you will find make your task easier or less tedious.

Drupal 8, 9, and 10
More information

Drupal's development has a regular release cycle consisting of major, minor, and patch releases. Drupal releases use semantic versioning for its version numbers. Since we're committed to making sure our tutorials are kept up-to-date with the latest and greatest version of Drupal we figured it would be a good idea if you knew how to keep your Drupal site up-to-date with the latest "point" releases as well.

This tutorial will cover:

  • How to determine the type of update
  • The standard update procedure
  • Update Drupal using Drush
  • Update Drupal using Composer

This tutorial won't cover:

  • How to perform a major version Drupal upgrade, for example, from Drupal 6 or 7 to the latest version of Drupal. For that, see our guide, Learn to Migrate to Drupal.
More information

Text formats are an important security feature of Drupal, so it pays to understand them. A text format will “scan” your content and make HTML formatting changes to it before sending it to the browser for display.  In this lesson we'll see what formats and filters are, and how they relate to each other, walk through the filter workflow, as well as reviewing the default formats that come with Drupal core.

Additional resources

Using Drupal, 2nd edition

Drupalize.Me Guide: Using Drupal Book by O'Reilly Media

Drupal 7, 8, 9, and 10
More information

Coding standards provide a set of rules for how your code should be formatted, and best practice guidelines for naming conventions and the location of files.


Not sure where to start? Our guides provide useful learning tracks for all skill levels.

Navigate guides

External resources

  • Best practice for developers (

    • Overview of standards and best practices for developers, including those related to security.
  • Is Drupal Secure? (

    • Provides useful context and additional information for evaluating Drupal’s security and being able to answer the question, “Is Drupal secure?”
  • Security in Drupal (

    • Guide with some tips for writing secure code and common configuration gotchas for site builders and developers.
  • Writing Secure Code (

    • A documentation guide on writing secure code in Drupal.
    • Sanitizing on output to avoid Cross Site Scripting (XSS) attacks (
      • A list of utility classes and functions provided by Drupal core to assist with writing secure code. Read through this list at least once to familiarize yourself with available options.

We suggest you follow @drupalsecurity on Twitter and/or use one or more other methods to get notified of security updates to Drupal core and contributed code. Learn more about the available options:

Additional resources related to security:

  • Learn How to Keep Drupal 8 Safe and Secure (

    • This series of videos walks through security announcements, common configuration gotchas, and other Drupal-specific security concerns.
  • Cracking Drupal (

    • This presentation provides a great overview of security issues in Drupal and PHP applications in general. Covers common mistakes developers make and how to avoid them, as well as modules that can help improve a site’s security.
  • How to write insecure Drupal 8 code (

    • Most Drupal security resources exist to help users write secure code - but how do we know what insecure code looks like? This presentation covers the most common types of Drupal security vulnerabilities with real-world examples of vulnerable code.