5 Steps to Surviving a Drupal Site Data Breach

By Elizabeth Clor

It happened—your Drupal site was hacked and your customers’ information has been compromised. This occurs more often than most companies would like to admit. It’s estimated that in 2018, more than 4.5 billion records were exposed as a result of data breaches. And, in one 2019 attack alone, hackers posted a collection of 2.7 billion identity records on the web, compromising 774 million email addresses and 21 million passwords in one fell swoop. 

While it’s hardly a comfort to know that your business is not alone in dealing with this type of data disaster, it may be helpful to learn that what’s left of your site security can be salvaged by following several key steps, which will also ensure your site’s safety moving forward.   

It’s a long road to making your Drupal site secure again. But these five steps will set you on the path to identifying what went wrong, and, with the help of a platform-as-a-service provider, preventing future breaches.

1. Make a Copy and Take the Site Offline, If Necessary

Because you never know what hackers will do once they’ve penetrated your security, it’s critical to make a copy of your site in case they plan to shut it down or otherwise destroy it. If possible, store the copy on a disk or drive that can’t be altered remotely, such as a USB or a CD. This copy will help you recover and rebuild your site once you’re ready, and will prevent you from needing to redesign the site or recreate existing content. (Note that hacked or not, you should make it a regular practice to make copies of your site—it’ll save you a headache in the long run.) 

Once you’ve completed the copy process, consider taking your site offline, especially if your initial observations suggest that hackers are using it to distribute malware, send spam, or as a pivot point for further attacks. Plus, by taking it offline, you’ll likely prevent further damage.

2. Assess the Damage

With the site offline, you can begin to take a more thorough look at the damage that has been done, and determine the logical next steps. If you are able to pinpoint the exact date that your site was compromised, you can simply revert to a backed up version of the site prior to that date and secure it. If you’re unable to do this, however, repairs will require careful scrutiny—you’ll need to find the exact areas that were compromised and restore them specifically. But, if the damage is more extensive than you can address in this manner, you may need to rebuild your site entirely. 

“There's something to be said for accepting that you may enter into a situation where you have to completely rebuild because depending on the compromise, it can be very insidious. Sometimes, hacking creates a persistent threat as soon as the compromise occurs because someone has created an account in your environment that they can use without having to hide themselves. And if that happens, no matter what you do to save your environment, that persistent hole is always going to be there,” explains Mark Ketteran, director of information security and compliance at Contegix. Note that rebuilding a site may not be as overwhelming as it sounds—you may still be able to reuse a great deal of your existing content and assets based on the copy you’ve made.  

3. Notify Relevant Parties

While you may feel you have a moral obligation to let your customers and community know when you’ve been hacked, in some cases, you have a legal obligation as well. If you’re in the healthcare industry and are required to be compliant with HIPAA, or run a government site that calls for strict adherence to FedRAMP, you must notify site users and stakeholders as soon as you become aware of a breach. 

4. Determine the Vulnerability

A vital part of preventing future attack is identifying what caused it in the first place. Consider how the site was compromised to get to the root of the attack—was your page content changed? Then it’s possible the hacker broke through to your content management system. Were spam emails sent? Was user information stolen and used maliciously? In that case, perhaps your CRM or marketing automation solution were used as the points of entry. All hackers typically need is one vulnerable system, from which they can then access your site. 

“Compromised credentials are pretty much at the root of all the big breaches that have occurred in the last number of years. It is very rare for a compromise to come through kind of the technical hacker aspect,” Ketteran says. 

But, technical attacks can happen. With a Drupal site, that typically means modifying the index.php or any code file on the site to introduce a virus, or using the php.module to change the behavior of a node or block. 

Still, stolen passwords are by far the main cause of hacks, so don’t be surprised if you determine this to be the cause of your breach. To prevent it in the future, use password managers to avoid repeating passwords. “The number of breaches that have occurred from people reusing the same password in multiple locations is just phenomenal,” Ketteran says.

5. Begin to Repair or Rebuild

Now comes the hard part—getting your site back up and running. Whether you’ve decided to repair it or have to rebuild it from scratch, invest in a platform-as-a-service solution, which can help establish security around a site or an application without ever actually touching it. How? The platform provider develops infrastructure environments customized to meet the most strict security needs and compliance frameworks, including FedRAMP, PCI, HIPAA or others, where you can then build your site or application before deploying it. 

“We have customers who will have us create a test environment for them, which is basically completely sealed off from the rest of the world. And they can go and they can break stuff to see how it works. And then once they fix everything to the way that they like it, then they can roll it out to production and have it be open to the world,” Ketteran explains. 

This approach to getting a site back to working order not only provides an environment where experimenting won’t actually break anything, but also ensures safety and security from potential attacks in the future. There’s no way to guarantee that another breach won’t happen, but with an added layer of protection from a platform service provider, your site will be substantially safer and less susceptible to future attacks. 

Click here to learn more about our Drupal Support offerings. 

New call-to-action