Over the last 10 years, Real World has been involved in delivering a number of Drupal based website solutions to our clients. One of the reasons we love Drupal is they have an active security community which constantly monitors their software for potential vulnerabilities and has a process to manage and update these.
Yesterday, the Drupal Security Team have released an advisory (SA-CORE-2018-002) for a “remote code exploitation” vulnerability in all Drupal Versions from 6 through 8. The vulnerability is critical, and may allow an attacker to compromise the web site content of a website, inject Malware or other code into a running website or potentially compromise the web server. There is a patch available for Drupal 7 and 8, and a third party supported backport for Drupal 6.
We’re already working with several of our customers that require security updates. If your web environment runs using Drupal it is essential you contact your web developer to update your website. If your hosting solution includes shell access and a package such as “drush” you may be able to do this easily with the command “drush up”. Ensure you have a backup before you start in case any updates have an impact on your site functionality.
If you don’t use Drupal, it’s also still important to ensure your website is regularly updated to protect against security vulnerabilities that occur from time to time.
We also support and update a variety of sites using WordPress. We recommend to customers running WordPress on a platform other than wordpress.com run a tool such as Wordfence which provides both protection and support updates for a range of sites. Real World provides licenses, supports and manages Wordfence for many of our clients.
Third party solutions, including Cloudflare, that integrate Web Application Firewalls (WAFs) may also reduce the attack surface and protect applications from attacks such as this.
For more information, please feel free to contact us via our Helpdesk or for urgent help please contact us on 1300 798 718.