Application Security · Drupal

Drupal security audit and hardening

A fixed-price Drupal security audit across three layers: core and config, contrib modules, and user access. You get a ranked findings report, then we harden the high-risk items.

From: $390 · Turnaround: 5 business days
Ranked by risk Not an alphabetical dump
Drupal 9, 10, 11 Core and contrib
Fixed price From $390, no retainer
Plain-English report Your team can act on it

Most Drupal sites we audit aren’t hacked through some clever zero-day in core. They get in through a contrib module nobody updated for two years, an admin account with a weak password and no two-factor, or a permissions grid where the authenticated user role can do far more than anyone intended. The Drupal Security Team publishes advisories most Wednesdays, and the gap between an SA-CORE advisory landing and a site actually applying it is where a lot of breaches happen. We check all three layers, rank what we find by how likely it is to get you hacked, and then fix the high-risk items.

Where breaches live

Three layers we check

Core and configuration

Drupal version against current SA-CORE advisories, settings.php exposure, trusted host patterns, file permissions, and whether update.php or the install directory is reachable.

Contrib and custom code

Every contributed module checked against the Drupal advisory feed, abandoned modules flagged, and custom code read for hand-built SQL, missing access checks, and unescaped Twig.

Accounts and access

The permission grid role by role, admin accounts without two-factor, stale users, and whether anonymous or authenticated users can reach something they shouldn't.

In our incident work, the account and contrib layers are where almost everything starts. Core itself is rarely the problem; an unpatched module from 2022 usually is. We weight the audit that way instead of spending the budget re-confirming that Drupal core is fine.

What the audit covers

Full scope, no tiered scans

We run the same full scope on every Drupal audit. There's no cut-down basic scan that exists mainly to upsell you into the real one. Here's what we check on every engagement.

Drupal core version checked against every open SA-CORE advisory, plus the patch level of PHP and the database
All contrib modules cross-referenced with the Drupal security advisory feed; abandoned and unsupported modules flagged
composer audit run against your lockfile to catch vulnerable PHP libraries sitting behind the modules
Custom module and theme code read for raw SQL, missing access checks, and unescaped output in Twig templates
User permission grid reviewed role by role, with a focus on what anonymous and authenticated users can reach
Admin and editor accounts checked for two-factor, password strength, and stale or shared logins
settings.php and services.yml reviewed for exposed credentials, debug flags, and trusted host settings
File permissions, public and private file handling, and reachability of update.php and the install directory
Login and form endpoints checked for flood control, and a working backup confirmed before we start
What you receive

A report your team can act on

You get a findings report written so a project manager can read it and a developer can act on it. Each finding is ranked by how likely it is to be exploited and scored by what it would cost you if it were.

01

Ranked findings report

Every issue sorted by exploit likelihood and impact, in plain English, with the affected module or file named.

02

Fix list with effort estimates

Each finding paired with the specific fix and a rough hours estimate, so you can split what to do in-house from what to hand back to us.

03

Contrib update plan

Which modules to update now, which to replace because they're abandoned, and which updates carry a breaking-change risk.

04

Permissions map

A snapshot of your current role and permission grid, with the specific grants we recommend pulling back.

05

Hardening on the tier-two scope

On the audit-plus-harden tier we apply the high-risk fixes: module updates, permission changes, two-factor, and flood control.

06

Walkthrough call

A 45-minute call to go through the report, agree priorities, and answer your developers' questions directly.

How it runs

Four steps, five days

Five business days from kickoff to a report, with hardening folded in on the second tier. We take a full backup before we touch anything.

1

Access and backup

You give us SFTP or SSH and an admin login. We take a full database and file backup before any change.

Same day
2

Three-layer audit

We work through core, contrib and custom code, then accounts and permissions, logging every finding as we go.

Days 1-3
3

Report and ranking

We write the findings up, rank them, and build the fix list with effort estimates.

Day 4
4

Walkthrough and hardening

We walk you through the report. On the harden tier we apply the high-risk fixes and re-check them.

Day 5
Pricing

Fixed price, no subscription

The audit-only tier is $390. That covers the full three-layer review, the ranked report, the fix list, and the walkthrough call. If you want us to apply the high-risk fixes rather than hand them to your team, the audit-and-harden tier is $690 and includes the module updates, permission changes, two-factor rollout, and a re-check of everything we changed.

Already hacked? Start with restoration.

If your Drupal site is already compromised, defaced, or throwing a white screen, an audit is the wrong first step. You need cleanup and a clean restore first, then the audit to stop it happening again. Our website restoration service handles the cleanup, and we’ll roll the audit in once the site is stable.

Audit

$390 one-time
  • Three-layer security audit
  • Ranked findings report
  • Fix list with effort estimates
  • Walkthrough call
Book an audit
Most popular

Audit + harden

$690 one-time
  • Everything in Audit
  • High-risk fixes applied
  • Contrib updates and permission changes
  • Two-factor and flood control
  • Re-check of all changes
Book audit + harden
Tech we use

Tooling we lean on

Drupal 9/10/11 Drush Composer composer audit Security Review PHPStan Twig TFA Fail2ban
Where this fits

How this connects to the rest of the stack

A Drupal audit is one part of our website security services, which run the same three-layer method across other platforms. If you manage more than one CMS, our WordPress security audit works the same way, and teams running their own boxes usually pair this with Linux server hardening so the layer underneath Drupal is locked down too. For how we handle updates and maintenance after the audit, see our Drupal support overview. If the audit turns up an active compromise, that becomes a restoration job first. We don’t sell a monthly security retainer you can’t escape; you pay for the audit, you get the report and the hardening, and you walk away with a site you can actually defend. Once the audit is clear, we can also connect Drupal to your CRM or ERP safely.

Security for Drupal support & development services

Need security for drupal support & development services sorted?

We'll triage the same day. Send context, screenshots, error messages — whatever you have. No sales calls, no chatbots.

We read every message. We don't pass your details to anyone else, ever.