It has recently come to light that the Drupal Content Management System has another large security vulnerability discovered being dubbed "Dupalgeddon 2".  This is yet another reminder how important it is to choose a Content Management System (CMS) that both fits your companies needs as well as one that is stable and secure.  Additionally it's vital to actively maintain the system, applying updates frequently can help avoid a disastrous situations. 

This vulnerability comes from a failure of Drupal to properly sanitize user input submitted through the Form API for AJAX requests.  Sanitation is the act of removing potentially unsafe or nefarious data from user input.  In this instance, if an attacker were to submit code to the system through an AJAX request, they could take control of the website.  Once under their control they can access user information, use the site as a launch pad for other attacks, deliver malware to site visitors, etc.  Another potential issue companies face when their website is hacked is a drop in their search engine ranking, or even an outright removal from their database.  This negates any investment into a Search Engine Optimization or advertising campaign.  The website will also be unfindable on any local search, hurting their visibility with potential customers.

After "Drupalgeddon 1" we choose to remove Drupal as a potential platform for building client projects on.  When selecting a product for our clients we evaluate all options that fit the projects requirements.  Part of this evaluation is a review of past and current security problems.  When a system is facing large or frequent issues they are removed as a potential solution until they have a period of proven reliability.

Over the years it has become clear that Active Site Maintenance is vital to keeping a website secure and functioning properly.  This service comes at additional cost, and is now a standard part of every web project we work on.  Our goal is to keep you online and easily findable to potential customers.  We want your website to bring your company value.

UPDATE June 6, 2018

It would appear that two months after the release of a fix for the Drupalgeddon 2 security vulnerability there are still over 115,000 websites on the internet that have not been updated and are vulnerable or have been compromised.  Not long after the release of the vulnerability hackers started compromising these websites, injecting backdoors, coinminers, IoT botnet malware, and cryptojackers.  Any of which will get a website delisted from search engines.