The Ultimate Drupal Security Practices and Malware Removal Guide

If you own a site, you probably know how distressing it is to lose your precious data overnight. As a crawling malware succeeded in making a hole in your weak Drupal security Structure. So, Astra is back with another useful article to save you from sleepless nights and distressing thoughts. Now, let us move to the scene where a Drupal site has been hacked. Let us understand the types of hacks, their symptoms, the process of Drupal malware removal and the ways to prevent them in the future. With this guide, your Drupal security will improve tenfold. It is everything you need, in case you were wondering how to restore your site after a brutal cyber attack.

Introduction to Drupal Security

Wikipedia defines Drupal as a free and open source content management framework written in PHP. It enjoys the title of being the third most popular content management framework in the market only after WordPress and Joomla. Because of the versatile nature of Drupal, variant sites can work on it efficiently. And thus it is being used by big corporates and enterprises. To name a few famous users of Drupal, we can safely include NASA, Harvard University, Tesla and Nokia.
But, when it comes to the question of Drupal security, these sites seem to live under a cloud. Although, it must be mentioned here that the Drupal security structure is reputed to be a really hardened one. There have been negligible malpractices with its sites till now. The vulnerability of its sites getting infected lies mainly with the cross-site inscription(XSS). Still, it must not be forgotten that no site is completely hacked proof. Thus, this article “Drupal security and Drupal Malware removal guide”.
Coming to the issue of Drupal site getting hacked, you surely need to figure out a way for the Drupal Malware Removal. No worries! Astra is happy to help.

Types of Drupal Hacks

Hacking is a broad area, which makes it an arduous task to classify it into numbers and types. Having said that, we are presenting you a list of only the trending hacking types that are found to be the current craze amongst the hackers.
First things first, before getting into the details of Drupal malware removal and safety guidelines, it is of extreme importance to learn a bit about the hacks on rising in Drupal or other CMS(s). Here is a short list of the hacks and their Drupal Malware Removal process.

Drupal Malware Removal in SEO Spam

For sites with high-quality content and fairly good popularity, there comes unwanted threats and exploits. Drupal surely is one popular website and houses a huge number of other large and important sites. This, invariably, makes it easy prey for the spammers. SEO (search engine optimization) spam is one such hack used primarily to get undeserved visibility in search engines. It is done by manipulating the indexes. Further, it is also used to spread phishing content online.
Moreover, the hacker uses the website as a host to send spam emails, to collect user data and to execute a number of other malpractices. These practices no doubt, have serious consequences. Losing the control of the site, modification or misuse of user database are only a few examples. In addition to the data loss, the reputation of the website is put to stake too. In severe cases, the site also loses its valuable customers.
A similar case was seen when Drupal was infected with the Pharma hack recently, where SEO spammers used its vulnerabilities to redirect users to pages selling viagra and cialis. This SEO spam is known as Black Hat SEO. Another famous example of SEO spam is Japanese SEO Spam. In this spam, the spammers hijacked google search results and displayed Japanese words in the titles and keywords.
Pharma Hack
Japanese SEO Spam

Drupal SEO spam symptoms

To check whether your Drupal website has been attacked, look for the following symptoms:
  • Unusual, slow, or abnormal site behavior
  • Modified files like-page.php, nav.php, etc. index.php, drupal.
  • Added new pages like leftpanelsin.php, cache.php, etc.
  • Edited xmlrpc.php in order to escape detection by webmasters.
  • Usage of base64 encoding to obfuscate code.
  • Files are hidden under /images folder to skip detection.
  • Altered page name as .somefile as an attempt to avoid being seen.
  • A difference in search results of Google, Mozilla, Bing, etc as a result of the spam.
  • Unauthorized new users on the Drupal dashboard.
  • New nodes from an unauthorized user.

Drupal Malware Removal Process

If it is found that your site is behaving in the manner specified above, Follow the next steps vigilantly to undo the damage that has been forced.
  • Scanning: Scan your website with modules like Hacked!, git etc to know the status of the hack. Also, analyze your website with the help of google webmasters tools to check for an unusual web traffic increase. Check out for new, unfamiliar codes in your files. Have a look at the following sample of codes which redirects your website to that of the hacker’s                                       
    <ul id="menu">
    <li><a href=">Something1 </a></li>
    Hackers also hide their code in tobase64 avoid detection as the looks like: YXR0YWNrZXJkb21haW4uY29t making it hard to detect the attacker domain.
    Similarly, in order to search for base 64 encodings in files the grep command is helpful as following: find . -name "*.php" -exec grep "base64"'{}'\; -print &> b64-detections.txt This piece of code basically searches into the .php files of your choice for base64 encodings. The results of which is saved in b64-deTtections.txt files. You can, finally, use an online resource to decode this and get a clear picture of the misdoings to the site.
  • Cleaning: Malpracticers often leave loopholes in a site to get access repeatedly. The common backdoors are hidden under several PHP files, these include, base64, system. assert, st_rot13, create_function etc. Remove these backdoors manually.

  • Securing: Restore authentic backup files. Update every theme and module of your website. Disable plugins with obsolete modules. Install good copies of modules from the Drupal’s site. This will remove all the loopholes left by the hacker.

Drupal Malware Removal in Admin Hack

Another very problematic hack is named Admin hack. It is exactly how it sounds, a hack where the attacker gets access to the details, passwords, keys, and powers of the admin of the site.
Once getting hold of the powers an admin enjoys, they have the control to Change/delete/manage/reset passwords from there. They can also add unverified members, or send spam emails as an imposter of the admin, modify modules/ core coding of the site.

Drupal Admin Hack symptoms:

  • Unusual, slow, or abnormal site behavior
  • Multiple admin users added to Drupal.
  • Infected and malicious files with uncommon names added to the public_html folder
  • Several files copied to the website
  • A new file called  ext.php added to folder/drupal-admin which gives the power to hackers to upload dangerous PHP files to the ‘drupal-admin directory’.
  • Re-infection of the website almost immediately.
Security warning by the Hacked! Module in Drupal

Drupal Malware Removal Process

  • Scanning: Scan your website with modules like Hacked!, git, etc to know the status of the hack. Check index.php, drupal-admin/index.php to see if they have been modified. Scan for new, unfamiliar files in the server or/drupal-admin folder. The files that you may find are: Marvins.php ,db_.php, 8c18ee, 83965, admin.php,, dm.php
  • Cleaning: Delete unknown Drupal administrator accounts from the user’s page. And also the codes that add malicious admin user(s). Remove all the PHP files from your ‘uploads’ directory. Clean the admin user database manually so as to get rid of the unknown users added.
  • Securing: Restore authentic backup files. Update every theme and module of your website. Disable plugin with obsolete modules. Install good copies of modules from the Drupal’s site. This will remove all the loopholes left by the hacker.

Drupal Malware Removal in Redirection hack:

Redirection hack is something every internet user must have experienced at some point in their surfing history. But, when you are a website owner, to have your users redirect to spam sites is literally a nightmare. In Redirect spam, a spammer redirects visitors of a particular website to spammy and malicious sites.
As for Drupal, it is a popular and growing site, and thus a desired target for the web crawlers. Drupal redirect hack is another convenient yet unscrupulous way for the hackers to use this progressive site as a door to redirect visitors to their sites. These sites usually have little or zero relevance to the search opted for.

Drupal Redirection Hack Symptoms

Admin hack could be identified easily by the following symptoms:
  • An unusual increase in web traffic.
  • Clicking links on your website homepage redirects to spam.
  • Unwanted ads or pages open up on your website as a result of the hack.
  • The Appearance of unknown nodes and files.
  • Spam content in search engine results. Blacklisting by search engines like Google, Bing etc.

Drupal Malware Removal Process

The Drupal Malware removal for this kind of hack can be done as follows:
  • Scanning: Check for alien files added to your website with Drupal modules like Hacked!, git, file integrity, etc. Scan for any new, unverified user entries. Look out for any fishy tables like Sqlmap. To show all the tables simply use the command. show tables;. The attacker might have also created new user entries and gained admin privileges. To check that use: Select * from users as u AND u.created > UNIX_TIMESTAMP(STR_TO_DATE('Oct 15 2018', '%M %d %Y ')); Here, it will display all the users created after 15 October 2018.
  • Cleaning: Remove all the unfamiliar files from your server manually. Clear your cache using the following command: drush cache-rebuild (Drupal 8) or drush cache-clear all (Drupal 7). Also, Edit the .htaccess file as follows: order allow, deny allow from all deny from env = spammer SetEnvIfNoCase Referer ". * (Poker | credit | money). *" Spammer </ Limit> This piece code block users from accessing the pages with links like poker, credit etc based on identifiers (HTTP referrers)
  • Securing: Restore authentic backup files. Update every theme and module of your website. Block access based on its own identifier (HTTP REFERRERS). Rewrite Engine On RewriteBase / # allow referrals from search engines: RewriteCond% {HTTP_REFERER}!. * xyz \ .com /.*$ [NC] RewriteCond% {HTTP_REFERER}! ^ Http: // ([^ /] +) google \ .. * $ [NC] Continue replacing the phrase google with all the search engines like yahoo, bing etc. you wanna allow. # Conditions for don`t wanted referrals RewriteCond% {HTTP_REFERER} ^. * Loans. * $ [OR] Continue replacing the word loan with the spam words like viagra, porn, etc you wanna block.
Note: Know more about Google Blacklist Removal.

Enhancing your Drupal Security

Now that we have applied the Drupal malware Removal, it is time that we guard it against any future mishaps. The following tips will help you in enhancing your Drupal security structure to the maximum level.


It is incredible how just updating and resetting your websites and modules reduces its vulnerabilities by a huge extent. New versions are nothing but patched and mended loopholes in your Drupal security structure. It is only prudent to use it for it to possess lessened security threats. The Latest version of Drupal can always be downloaded from Drupal’s official site

Unique Usernames and Passwords:

This is probably the most underrated of the security measures. But, the importance it holds could not be emphasized more. Most people opt for simpler usernames and passwords their memory could retain easily. This is one dangerous practice. Using your own name, word admin as usernames is a big NO. 123456789, or word “password” are way too simple and easy-to-crack passwords. One security loosened is one opportunity provided. Make sure you go for unique and strong usernames and passwords.

Backing up with frequent Backups:

In times, such as a brutal cyber attack, only backups has got your back. Undermining the importance of timely and regular backups will cost you dearly. DO NOT overlook the value and necessity of backups. Drupal’s official site has all the backup related information, you can always take help from there. Backups will prove to be a savior if you lost your valuable data in an unfortunate cyber hack.
Restricting Permissions:

Giving permissions with a vigilant eye is one hack to protect your site against any malware attack. Stopping any bots, pages etc which are extraneous will add to your site’s security majorly.

Using Drupal Modules:

Drupal security modules promise a more secured structure, in fact, its popularity is attributed to its security excellence. Using Drupal modules will work for your benefit. Some modules are as follows:

1. File Permissions:

Since Drupal is an open CFS, anyone can read and write codes in it. But, this allowance should be optimized carefully. To have a secured site, you must check if the permissions for opening, reading and altering these files is reasonable and not too liberal. Again, this module is easily found on the Drupal’s website.

2. Sanitizing output:

In order to prevent XSS infection to your sites, it is necessary to sanitize and filter the HTML outputs. Sanitization can be done with various modules available in Drupal, such as Twig Templates, Javascript(jQuery) and drupal.checkplain(). To learn more about Sanitizing of texts, visit Drupal.

3. File integrity check module:

This Drupal module allows you to scan the website and the modules attached. It periodically checks for any divergence in the current state of the website as compared to the original authentic version you feed into it. It then alarms you, if, modifications or loopholes in different modules or core module is found. You can check this facility on Drupal itself or click on the link for direct access.

4. Coder:

The coder command checks your site’s codes against set standards. It suggests the best practices for coding. It also highlights any violations in coding standards done in your site.

5. Captcha:

The captcha module’s sole purpose is to block login attempts by automated bots lurking on the internet sphere. With this module, you are invariably going to increase your Drupal security.


We hope Astra had your queries answered and problems solved to a great extent. Be safe and dodge any cyber attack by keeping your site super secure with this guide. Be smarter than the hackers and apply the recommended steps very carefully.

Drupal Security Suite

"Excellent service, I am sleeping like a baby since I got it."

Excellent service, always responding super fast when I need them, and never had any problem with hackers since I'm with Astra.