A fixed-price Drupal security audit across three layers: core and config, contrib modules, and user access. You get a ranked findings report, then we harden the high-risk items.
Most Drupal sites we audit aren’t hacked through some clever zero-day in core. They get in through a contrib module nobody updated for two years, an admin account with a weak password and no two-factor, or a permissions grid where the authenticated user role can do far more than anyone intended. The Drupal Security Team publishes advisories most Wednesdays, and the gap between an SA-CORE advisory landing and a site actually applying it is where a lot of breaches happen. We check all three layers, rank what we find by how likely it is to get you hacked, and then fix the high-risk items.
Drupal version against current SA-CORE advisories, settings.php exposure, trusted host patterns, file permissions, and whether update.php or the install directory is reachable.
Every contributed module checked against the Drupal advisory feed, abandoned modules flagged, and custom code read for hand-built SQL, missing access checks, and unescaped Twig.
The permission grid role by role, admin accounts without two-factor, stale users, and whether anonymous or authenticated users can reach something they shouldn't.
In our incident work, the account and contrib layers are where almost everything starts. Core itself is rarely the problem; an unpatched module from 2022 usually is. We weight the audit that way instead of spending the budget re-confirming that Drupal core is fine.
We run the same full scope on every Drupal audit. There's no cut-down basic scan that exists mainly to upsell you into the real one. Here's what we check on every engagement.
You get a findings report written so a project manager can read it and a developer can act on it. Each finding is ranked by how likely it is to be exploited and scored by what it would cost you if it were.
Every issue sorted by exploit likelihood and impact, in plain English, with the affected module or file named.
Each finding paired with the specific fix and a rough hours estimate, so you can split what to do in-house from what to hand back to us.
Which modules to update now, which to replace because they're abandoned, and which updates carry a breaking-change risk.
A snapshot of your current role and permission grid, with the specific grants we recommend pulling back.
On the audit-plus-harden tier we apply the high-risk fixes: module updates, permission changes, two-factor, and flood control.
A 45-minute call to go through the report, agree priorities, and answer your developers' questions directly.
Five business days from kickoff to a report, with hardening folded in on the second tier. We take a full backup before we touch anything.
You give us SFTP or SSH and an admin login. We take a full database and file backup before any change.
Same dayWe work through core, contrib and custom code, then accounts and permissions, logging every finding as we go.
Days 1-3We write the findings up, rank them, and build the fix list with effort estimates.
Day 4We walk you through the report. On the harden tier we apply the high-risk fixes and re-check them.
Day 5The audit-only tier is $390. That covers the full three-layer review, the ranked report, the fix list, and the walkthrough call. If you want us to apply the high-risk fixes rather than hand them to your team, the audit-and-harden tier is $690 and includes the module updates, permission changes, two-factor rollout, and a re-check of everything we changed.
If your Drupal site is already compromised, defaced, or throwing a white screen, an audit is the wrong first step. You need cleanup and a clean restore first, then the audit to stop it happening again. Our website restoration service handles the cleanup, and we’ll roll the audit in once the site is stable.
A Drupal audit is one part of our website security services, which run the same three-layer method across other platforms. If you manage more than one CMS, our WordPress security audit works the same way, and teams running their own boxes usually pair this with Linux server hardening so the layer underneath Drupal is locked down too. For how we handle updates and maintenance after the audit, see our Drupal support overview. If the audit turns up an active compromise, that becomes a restoration job first. We don’t sell a monthly security retainer you can’t escape; you pay for the audit, you get the report and the hardening, and you walk away with a site you can actually defend. Once the audit is clear, we can also connect Drupal to your CRM or ERP safely.
We'll triage the same day. Send context, screenshots, error messages — whatever you have. No sales calls, no chatbots.