AFFECTED APPLICATION | Drupal versions <= 7.31 |
FIX | Restore your site and then upgrade |
FIRST REPORT OF COMPROMISE | Oct. 15, 2014 at 11pm UTC |
If you're here, we're assuming you've been notified of a critical security issue with Drupal, which has been called Drupalgeddon (or Drupageddon). Drupal's issued an announcement about it here, but this article contains the information you need to protect your Drupal site.
In short, this security risk could let attackers install backdoors on your website using a SQL injection. Essentially, this would let attackers target your website's visitors with various maladies, such as malware.
To warn you, this situation is bad and can get complicated. We have protection measures in place to minimize the risk of your site actually being affected, but it's important to proceed as if your site is compromised.
The first thing to investigate is the situation you and your site are in.
YES: Your site is unaffected.
NO: You must restore your site from backup, and then upgrade it.
YES: Follow this procedure (individual steps outlined in Procedures section):
Unsure? If you don't have a backup you maintained yourself, we might be able to help.
Hosting Type | Backup info |
---|---|
Web & Classic Linux | Website:Restoring a Linux Hosting Account Database: Check Restoring section of Backing up and Restoring MySQL or MSSQL Databases Disaster Recovery Backups available — contact customer support |
Web & Classic Windows | Website & Database: Disaster Recovery Backups available — contact customer support |
Plesk | Website & Database: View the Plesk section in Where can I download my shared hosting backups? Disaster Recovery Backups also available to some customers — contact customer support |
cPanel | Website & Database: Backups available to some customers who installed the application through Installatron via Restoring Installatron Websites from Backups Users could have created backups using Back up your website |
If you do have a backup, see the YES section; otherwise, see the NO section.
NO: Follow this procedure (individual steps outlined in Procedures section)
Before beginning the procedures outlined below, make sure you complete them in the correct order by cross-referencing your situation with the Analyzing Your Situation section.
If you have only one domain on your hosting account:
If you have multiple domain names on your website:
We also recommend changing your Drupal's MySQL database password. To do that you'll need to change the database's password (more info), and then update it in Drupal (more info).
You need to upgrade your Drupal version to 7.32. Drupal has those instructions here.
If you do not have a backup of either your website or database (or both), you must manually remove any backdoors from your Drupal installation.
To manually remove any backdoors yourself, use the Drupal-recommended procedure. This procedure is very complicated and requires an advanced understanding of PHP and MySQL. Not all steps listed in the procedure are applicable to shared hosting environments, but completing what you can from this list will provide you the greatest likelihood of removing backdoors from your site.