Why is Drupal secure? More people review the code. Simple.

Who reviews Drupal for security?

A million strong open source community, with a core team of around 28,000 developers, plus loads of organisations and end users. This includes major Drupal users like Pinterest, the United States Department of Defense and increasingly major financial institutions. Many who use it have run penetration tests over the years, or just spotted issues and reported them to the Drupal security team

There's also a good security culture and some parts of Core are designed to prevent the commonest problems, like SQL injection and cross-site-scripting.

Compared to proprietary systems this is a huge number. Very few platforms have software teams that rank in the thousands, let alone the tens of thousands. This doesn't mean that they don't spot issues, or aren't secure, but the extent of this varies depending on each supplier. There is also less transparency compared to an open source community, who by their very nature publish security issues, and fixes.

How do Drupal Security updates work?

Drupal contributed module updates are announced every Wednesday for contrib modules and one Wednesday a month (usually the third Wednesday) for Drupal core, from 12pm EST. There’s a calendar of release schedules here.

Why may my site not be secure?

The Drupal platform is secure, and the community provides security updates, but if you're not regularly applying them then you are not going to get the peace of mind of having a secure site. 

How does NDP Studio Drupal Support manage Security Updates?

In general we will apply a security update as soon as it becomes available, but with prioritisation given to those marked Highly Critical, work beginning as soon as possible within 24 hours. We follow the Drupal Security Team’s classification of risks which is explained here.

This considers factors such as whether this vulnerability affects all users, whether it affects all configurations, whether there are mitigations, whether it is already being exploited or is theoretical and other considerations.

For very high risk security updates, the security team will pre-announce the release so that developers can be scheduled in advance - this has only happened a handful of times though.

How can I sign up for Drupal Security updates?

This can be done by subscribing to the three RSS feeds at, following @drupalsecurity on Twitter or via email. To subscribe via email, you need an account on and then edit the 'my newsletters option' on your profile.

How can NDP Studio help me with Drupal Security?

Security is a core part of all of our Support packages, and we also can provide Fleet Security to those of you with more than one site, in multiple versions of Drupal. 

With our Drupal expertise and experience, we like to give our clients peace of mind about the security of their sites by immediately applying all updates as they are released. Just book in a meeting here to learn more.

Get in touch
24h telephone

Before you go