Drupal Myth #3: Drupal is Not Secure

It’s no news that Drupal has become an industry leader in web content management since its emergence in 2001. Still, there are many misconceptions and questions from our clients about what Drupal does and what it is (or isn’t) capable of. As a creative agency that specializes in Drupal development, we know many of our clients’ concerns are absolutely myth.

Drupal Myth #3: Drupal is not secure

Security is a real concern when thinking about what platform you’d want your website on. But don’t be misled by those who say that Drupal, and other open source options like it, aren’t as secure as closed source options. Case in point: did you know that one of the most secure sites in the United States, whitehouse.gov, is built on Drupal?

As we saw in a previous Drupal myth blog, Drupal has an extremely active community of developers. This community is committed to finding and fixing any existing and future security gaps in the system, making it just as secure, if not more, than closed source options. In addition, Drupal has a dedicated security team that constantly tests the system for vulnerabilities to the CMS.

To maintain a secure system, Drupal also releases regular updates to both its core system and all contributed modules. Site administrators receive notifications upon new releases for modules with updated code details and any security concerns addressed. There are many modules that function as another level of protection against security threats.

Since Drupal is open-source, in addition to the internal security team, anyone within the Drupal community can submit a patch to address a flaw or security concern in Drupal core or contributed modules. Any user submitted code must go through code review by module maintainers for contributed modules or core maintainers for the core code. While not all patches are merged into the codebase, this does highlight the ongoing development of Drupal and how its community is dedicated to continuously improve the system.

WDG Drupal Security Example



GuitarGate is an online guitar training course that WDG built using Drupal. There were two parts to the interface that required special care from a security standpoint. First, the user’s experience is behind a secure login. This premium content needed to be secured from public users and not able to be accessed without logging in. Drupal made this easy with user permissions for pages requiring a certain level of user to actually access secure content. Second, user account and profile information needed be stored securely. This information contained sensitive contact details, such as email and physical address. Payment information was also collected via a secure form, though this information was sent to Recurly to simplify the payment experience. In this and many other ways, Drupal has the tools necessary to provide a secure experience as well as collect and store secure information.


  • Drupal is one of the most secure open-source systems.
  • Drupal has a dedicated security team to continuously focus on testing the system for any vulnerabilities.
  • Drupal regularly releases updates to both its core system and contributed modules.
  • Contributed modules must pass a code review by Drupal administrators.

As you learn about Drupal, you’ll realize that it’s not just software—Drupal is, in itself, an ongoing project with a very dedicated and contributing community. As with other open-source systems, security is, and will continue to be, a high priority.


That’s it for this series of Drupal myth-busting! We’ve gone over different myths in the last couple of weeks, and hopefully you now have a better grasp of Drupal’s outstanding capabilities. Interested in learning more about how we can leverage Drupal for your digital needs? Get in touch with us today or tweet your questions to us at @WDGTweet!

Related Insights

Start a Project

Want to Skip Right
to the Good Stuff?

Contact Us