Probably the highest recommendation of Drupal security is in the long list of top level organizations in government, education and private enterprise that use the platform. These include the White House, many government websites in the USA and Canada, UNESCO, NBC News, Harvard and Oxford universities.
If it’s secure enough for them, it’s secure enough for any business.
Drupal is designed to provide robust security straight out of the box and meets Open Web Application Security Project (OWASP) standards to counter security risks. On top of that, you can add several powerful and advanced security features that place it way ahead of WordPress and Joomla when it comes to website security.
Drupal has built-in encryption capability for passwords stored in your database. The platform supports various password policies, including minimum length and character complexity.
Apart from using industry standard authentication practices, Drupal enables the addition of modules for enhanced security by supporting SSL and 2-factor authentication. You can also integrate many single sign-on systems - like SAML, LDAP or OpenID - to provide login alternatives.
Drupal has features to protect you against brute force password attacks. It limits the number of login attempts and reports failed logins to your site administrator. Administrators have the facility to ban IP addresses from the system.
Site administrators have complete control over granular user access control with Drupal. They can assign who can view or modify every part of a site.
The versatility of the Drupal platform enables administrators to create an array of user roles and access permissions. Virtually any access control situation can be formulated to suit any aspect of your site or business.
Database encryption can be configured for any level of security desired. When your application demands a high level of security, the whole database can be encrypted.
At lower security levels, specific parts of the database can be encrypted to protect certain information like user accounts, selected forms or field values. Drupal encryption complies with the strictest PCI standards as well as HIPPA and state privacy laws.
Drupal has a dedicated Security Team in place, made up of scores of global experts who are tasked with responding to security issues and fixing them. Vulnerability alerts along with fixes and mitigation procedures are published to the Drupal community.
The Drupal Security Team is supported in its vigilance by the platform’s robust community of designers and developers. That community diligently reports any problems to the specialist team.
Of course, none of these security measures will be totally effective without providing some level of reporting. Drupal provides built-in reporting to notify you of security updates, vulnerabilities and recommendations.
If you’re serious about your business, you need to be serious about your website security. Drupal security is quite simply the best. Partner with global experts in Drupal security, design and development to evaluate your current level of site security and develop custom modules to suit your business needs and minimize your risk.
Creative Commons Attribution: Permission is granted to repost this article in its entirety with credit to Snowbot and a clickable link back to this page.