- SSL & Headers
- Open Port Scan
- .env/.git Leaks
- WP Username Spy
- Executive PDF
- Cost$29 per-domain scan
Free Drupal Security Scanner
Detect Drupalgeddon-class risks, vulnerable modules, exposed admin and settings files, and missing hardening — with copy-paste fixes written for Drupal. No signup, full audit in ~60 seconds.
Scan Your Drupal Site Now
Our AI-powered scanner detects Drupal-specific vulnerabilities including Drupalgeddon, module flaws, and misconfigurations.
Ready to scan.
The Kill Chain
Attacker's view of exposureExposed Assets
File Leaks
Compliance
Vulnerability Table
Severity badges highlight riskAttack Surface Map
Observed exposure pointsCompliance Mapping
OWASP + ISO alignmentEvidence Mode
HTTP signals capturedWhy Agencies Choose Us
- SSL & Headers
- Open Port Scan
- .env/.git Leaks
- WP Username Spy
- Executive PDF
- CostFree
- SSL & Headers
- Open Port Scan
- .env/.git Leaks
- WP Username Spy
- Executive PDF
- Cost$1,500+
Drupalgeddon Detection
Checks for SA-CORE-2014-005, CVE-2018-7600 (Drupalgeddon2), and CVE-2018-7602 (Drupalgeddon3) — critical RCE vulnerabilities that affected millions of Drupal sites.
Module Vulnerability Scan
Identifies outdated and vulnerable contributed modules. Checks for known CVEs in popular modules like Views, Webform, Paragraphs, and Token.
Access Control Audit
Checks for exposed /admin, /user/login, /user/register paths. Verifies that user registration is properly restricted and admin paths are protected.
Configuration Security
Verifies settings.php protection, file upload directory permissions, PHP execution restrictions, and Drupal-specific security settings.
Security Headers & SSL
Validates CSP, HSTS, X-Frame-Options, and other headers. Checks SSL/TLS configuration, certificate validity, and mixed content issues.
Email & DNS Security
Validates SPF, DKIM, and DMARC records. Critical for Drupal sites sending user notifications, password resets, and form submissions.
Common Drupal Vulnerabilities
Drupal powers approximately 1.3% of all websites, including many government, enterprise, and university sites. Its security track record is strong, but critical vulnerabilities have had massive impact:
1. Drupalgeddon Series
The most infamous Drupal vulnerabilities:
- Drupalgeddon (2014) — SQL injection in core. Automated attacks began within 7 hours of disclosure. Sites not patched within that window were likely compromised.
- Drupalgeddon2 (2018) — Remote code execution via AJAX API. Allowed complete server takeover without authentication.
- Drupalgeddon3 (2018) — Another RCE vulnerability discovered shortly after Drupalgeddon2.
2. Exposed Configuration Files
Drupal's settings.php contains database credentials. If web server misconfiguration allows direct access, attackers gain full database access.
# Protect settings.php in .htaccess
<Files "settings.php">
Require all denied
</Files>
# Set correct permissions
chmod 444 sites/default/settings.php
chmod 555 sites/default
3. User Registration Abuse
Default Drupal installations may allow user registration. Attackers create accounts to exploit authenticated-only vulnerabilities or spam the site.
4. Contributed Module Vulnerabilities
While Drupal core is well-audited, contributed modules vary in quality. Always check the Drupal Security Advisories page and subscribe to email alerts.
Drupal Hardening Checklist
- Update Drupal core to the latest security release
- Update all contributed modules and themes
- Remove unused modules and themes completely
- Set
settings.phpto read-only (chmod 444) - Disable PHP execution in
sites/default/files - Restrict user registration (admin approval or disabled)
- Enable two-factor authentication for admin accounts
- Configure security headers via
.htaccessor web server - Set up SPF, DKIM, and DMARC for email security
- Use the Security Review module for ongoing auditing
- Implement a Web Application Firewall (WAF)
- Schedule regular backups and security scans
Related guides:
Frequently Asked Questions
What is Drupalgeddon and is my site affected?
Drupalgeddon refers to critical Drupal vulnerabilities from 2014 and 2018 (SQL injection and remote code execution). If your Drupal site hasn't been updated since before April 2018, it is almost certainly compromised. Update immediately.
Is Drupal more secure than WordPress?
Drupal has a dedicated security team and strong core security with granular access controls and built-in input sanitization. However, it still requires proper maintenance, updates, and configuration to remain secure.
How do I secure my Drupal site?
Keep core and modules updated, restrict /admin access, enable 2FA, set correct file permissions (444 for settings.php), configure security headers, disable PHP in upload directories, and run regular security scans.
Related Security Guides
Website Security Checklist 2026
100+ high-impact security checks for any website.
Security Headers Checklist
CSP, HSTS, and cookie hardening — complete 2026 guide.
Fix Exposed .env Files
Prevent credential leaks from exposed environment files.
Pre-Launch Security Checklist
What to verify before going live with your Drupal site.
Attackers scan your site every day. Watch what they find — and how one report shuts them out.
A real site, a real scan: 27 hidden issues exposed in 60 seconds — exposed credentials, open database ports, spoofable email — then fixed the same day with the copy-paste code inside the $29 report, verified with free re-scans until the score climbs from 67 to 90, and sealed with a Verified Secure badge your visitors can see. The same recon a consultant bills $1,500+ for.