AFFECTED APPLICATION | Drupal versions <= 7.31 |
FIX | Restore your Website and then upgrade |
FIRST REPORT OF COMPROMISE | Oct. 15, 2014 at 11pm UTC |
If you're here, we're assuming you've been notified of a critical security issue with Drupal, which has been called Drupalgeddon (or Drupageddon). Drupal's issued an announcement about it here, but this article contains the information you need to protect your Drupal Website.
In short, this security risk could let attackers install backdoors on your website using a SQL injection. Essentially, this would let attackers target your website's visitors with various maladies, such as malware.
To warn you, this situation is bad and can get complicated. We have protection measures in place to minimize the risk of your Website actually being affected, but it's important to proceed as if your Website is compromised.
The first thing to investigate is the situation you and your Website are in.
YES: Your Website is unaffected.
NO: You must restore your Website from backup, and then upgrade it.
YES: Follow this procedure (individual steps outlined in Procedures section):
Unsure? If you don't have a backup you maintained yourself, we might be able to help.
Hosting Type | Backup info |
---|---|
Web & Classic Linux | Website: Restoring a Linux Hosting Account Database: Check Restoring section of Backing up and Restoring MySQL or MSSQL Databases Disaster Recovery Backups available — contact customer support |
Web & Classic Windows | Website & Database: Disaster Recovery Backups available — contact customer support |
Plesk | Website & Database: View the Plesk section in Where can I download my shared hosting backups? Disaster Recovery Backups also available to some customers — contact customer support |
cPanel | Website & Database: Backups available to some customers who installed the application through Installatron via Restoring Installatron Websites from Backups Users could have created backups using Back up your website |
If you do have a backup, see the YES section; otherwise, see the NO section.
NO: Follow this procedure (individual steps outlined in Procedures section)
Before beginning the procedures outlined below, make sure you complete them in the correct order by cross-referencing your situation with the Analyzing Your Situation section.
Before beginning, you must have a backup of your website created before Oct. 15, 2015 at 11pm UTC. Restoring from this backup will revert your Website to the state it was at when the backup was taken. It's not ideal, but it's your best bet against passing malware onto your visitors.
If you have only one domain on your hosting account:
If you have multiple domain names on your website:
Before beginning, you must have a database backup created before Oct. 15, 2015 at 11pm UTC. Restoring from this backup will revert your Website to the state it was at when the backup was taken. It's not ideal, but it's your best bet against passing malware onto your visitors.
We also recommend changing your Drupal's MySQL database password. To do that you'll need to change the database's password (more info), and then update it in Drupal (more info).
You need to upgrade your Drupal version to 7.32. Drupal has those instructions here.
If you do not have a backup of either your website or database (or both), you must manually remove any backdoors from your Drupal installation.
To manually remove any backdoors yourself using the Drupal-recommended procedure outlined here. This procedure is very complicated and requires an advanced understanding of the technologies Drupal uses (PHP, MySQL) to use effectively. Not all steps listed in the procedure are applicable to shared hosting environments, but completing what you can from this list will provide you the greatest likelihood of removing backdoors from your Website.