How to Clean a Hacked Drupal Site

Introduction

Sucuri is committed to helping server administrators check their website for hacks and remove malware infections. We created this guide so Drupal users can identify and clean their hacked Drupal site. This is not meant to be an all-encompassing guide, but it addresses the most common infections we see.

Common indicators of a hacked Drupal site include:

  • Spam keywords in nodes and search engine content
  • New nodes from an unauthorized user
  • File modifications or Drupal core integrity issues
  • Unknown files under sites/default/files
  • Security warnings by Google, Bing, McAfee, etc.
  • Unexpected, slow, or abnormal site behavior
  • Host suspended your site for malicious activity
  • Malicious new users in the Drupal dashboard
  • Using Components with known vulnerabilities
  • Insufficient logging and monitoring

How to Scan Your Site for Malware

How do you prevent code injection vulnerabilities?

You can use tools that remotely scan Drupal for malware to find malicious payloads and malware locations. These instructions are for our free remote scanner, SiteCheck.

Other online scanners and Drupal extensions can also help you look for indicators of compromise, malicious payloads, and other security issues. Tools for checking security misconfigurations in Drupal could help you identify possible attack vectors.

  • Visit SiteCheck and enter your website URL.
  • Click Scan Drupal.
  • If the site is infected, review the warning message.
  • Note any payloads, locations (if available), and blocklist warnings. 

 

Free Drupal Scanners:

  • Hacked!: Scans your Drupal software against known good copies (Drush UI available).
  • Site Audit: Detect common problems with Drupal including security issues.
  • Security Review: Test your site against a checklist of common security issues.

 

Drupal scanners and other resources:

If you have multiple websites on the same server we recommend scanning them all. Cross-site contamination is one of the leading causes of reinfections.

We encourage every website owner to isolate their hosting and web accounts. See the Drupal Multisite Docs for more info.

Drupal hacked scan results in SiteCheck.

A remote scanner will check the site externally using different user-agents, but some issues do not present themselves in a browser. Hidden infections (i.e., backdoors, phishing pages, and hidden scripts) can be found using a server-side scanner. Learn more about how remote scanners work.

Check Your Drupal Site for Modified Files

New or recently modified files may be part of your Drupal site hack. Your core, contributed, and custom modules should also be checked against known good copies to identify malware injections.

The quickest way to confirm the integrity of your Drupal site’s files is by using git status (or another version control system) to check for changes, commit any new branches, and then roll back to the last known good set of code.

To use git to check for changes:

  • Connect to your server over SSH and run the following SSH command: git status.
  • Identify new and modified files.
  • Navigate through your directories and note anything unusual.

 

We highly recommend using FTPS/SFTP/SSH rather than unencrypted FTP.

You can also use the Hacked! module for Drupal to get a report of any integrity issues with your core files and modules, which could be an indicator of a hacked Drupal site.

Another option is to use the diff command in terminal to compare to the known good files. You can find all Drupal versions on GitHub. Using an SSH terminal, you can download Drupal locally. The following commands use version 8.3.5 as an example of the clean files and public_html as an example of where your Drupal installation is located. The final diff command will compare the clean Drupal files with your installation.

Caution

It is important that you compare the same version of your Drupal site’s core files and extensions. Core files on the 8.x branch are not the same as the 7.x branch and so on.

To check core file integrity with SSH commands:

				
					$ mkdir drupal-8.3.5
$ cd drupal-8.3.5
$ wget https://github.com/drupal/core/archive/8.3.5.tar.gz
$ tar -zxvf core-8.3.5.tar.gz
$ diff -r core-8.3.5 ./public_html
				
			

To manually check recently modified files:

Log into your server using an FTP client or SSH terminal.
If using SSH, you can list all files modified in the last 15 days using this command:$ find ./ -type f -mtime -15

				
					$ find ./ -type f -mtime -15
				
			
  • If using SFTP, review last modified date column for all files on the server.
  • Note any files that have been recently modified.

 

Unfamiliar modifications in the last 7-30 days may be suspicious and require further investigation.

Audit Your Drupal Site’s User Logs

Verify any unknown Drupal user accounts, especially administrators.

To check for malicious users in Drupal:

  • Log into your Drupal admin interface (yoursite.com/user/login).
  • Click People on the menu.
  • Review the list, especially ones recently created under the Member For column.
  • Remove any unfamiliar users that were created by hackers.
  • Check the Last Access Time of legitimate users (may indicate compromised account).
  • Confirm any users that logged in at suspicious times. 

 

Wait to change user passwords until after you have completely cleared the site of malware. This ensures that hackers no longer have access to any user accounts. You can use a module like Mass Password Reset to force all users to reset their passwords.

Drupal 7: People Panel

Drupal 8: People Panel

Check Diagnostic Pages

If your Drupal site has been blocklisted by Google or other website security authorities, you can use their diagnostic tools to check the security status of your hacked Drupal website. It’s an effective way to verify if a Drupal site is hacked.

For more information about these security warnings, read our guide explaining the Google blocklist.

To check your Google Transparency Report:

  1. Visit the Safe Browsing Site Status website.
  2. Enter your site URL and search.
  3. On this page you can check:
    • Site Safety Details: information about malicious redirects, spam, and downloads.
    • Testing Details: most recent Google scans that found malware.
  4. Remove any unfamiliar users that were created by hackers.
  5. Check the Last Access Time of legitimate users (may indicate compromised account).
  6. Confirm any users that logged in at suspicious times.

Google Transparency Report

If you have added your Drupal site to any free webmaster tools, you can check their security ratings and reports for your website. If you do not already have accounts for these free monitoring tools, we highly recommend that you sign up:

Need help blocking attackers?

Our Website Application Firewall (WAF) stops bad actors, speeds up load times, and increases your website availability.

Removing a Drupal Website Hack

Now that you have identified potentially compromised users and malware locations, you can remove malware from your hacked Drupal site and restore it to a clean state.

The best way to identify hacked files is by comparing the current state of the site with an old and clean backup. If a backup is available, you can use that to compare the two versions and identify what has been modified.

Some of these steps require web server and database access. If you are not familiar with manipulating database tables or editing PHP, please seek assistance from a professional Incident Response Team member who can completely remove your Drupal website’s malware.

Clean Hacked Drupal Site

If any scans or diagnostic pages revealed malicious domains or payloads, you can start by looking for those files on your Drupal site’s server. If you use a version control system like git, you can rollback to a known good copy, delete new suspicious files, and checkout to revert any maliciously modified files.

By comparing infected files with known good files (from official sources or reliably clean backups) you can identify and remove Drupal malware.

To manually remove Drupal malware:

  • Log into your server via SFTP or SSH.
  • Create a backup of the site files before making changes.
  • Search your files for reference to malicious domains or payloads you noted.
  • Identify recently changed files and confirm whether they are legitimate.
  • Review files flagged during the core file integrity check.
  • Restore or compare suspicious files with clean backups or official sources.
  • Remove any suspicious or unfamiliar code from your custom files.
  • Test to verify the site is still operational after changes.

 

If you can’t find the Drupal malware, try searching the web for malicious content, payloads, and domain names that you found in the first step. Chances are that someone else has already figured out how those domain names are involved in the hack you are attempting to clean.

Resources

Top Drupal directories where we find malware infections:

  • ./sites/all/modules/panels/help/
  • ./sites/all/themes/
  • ./profiles

Other tools to scan your hacked Drupal site website:

Caution

It is important that you compare the same version of your Drupal core files and extensions. Core files on the 8.x branch are not the same as the 7.x branch and so on.
Never perform any actions without a backup. If you need help with this, review the official Drupal Backup Docs or look into free Drupal backup tools such as Backup and Migrate and a Node Squirrel.

Clean Hacked Drupal Database Tables

To remove a Drupal malware infection from your database, you need to open a database admin panel, such as PHPMyAdmin. You can also use tools like Search-Replace-DB or Adminer.

Caution

Manually removing “malicious” code from your website files can be extremely hazardous to the health of your website. Never perform any actions without a backup. If you’re unsure, please seek assistance from a professional.

To manually remove a malware infection from hacked Drupal site’s database tables:

  • Log into your database admin panel.
  • Make a backup of the database before making changes.
  • Search for suspicious content (i.e., spammy keywords, links).
  • Open the table that contains suspicious content.
  • Manually remove any suspicious content.
  • Test to verify the site is still operational after changes.
  • Remove any database access tools you may have uploaded.

 

You can manually search your Drupal database for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc. Note that these functions are also used by Drupal extensions for legitimate reasons, so be sure you test changes or get help so you do not accidentally break your site.

Hacked Drupal Database Example

Top infected Drupal database tables we see:

  • field_data_body
  • field_revision_body
  • cache_field

Remove Hidden Backdoors

Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors of various types in hacked Drupal sites.

Backdoors are usually embedded in files that are named just like legitimate files within the official Drupal framework but located in the wrong directories. Attackers can also inject backdoors into files like index.php and directories like /modules, /themes, /sites/all/modules, and /sites/all/themes.

Backdoors commonly include the following PHP functions:

  • Log into your database admin panel.
  • base64
  • str_rot13
  • gzuncompress
  • gzinflate
  • eval
  • exec
  • create_function
  • location.href
  • curl_exec
  • stream

Caution

These functions can also be used legitimately by Drupal extensions, so be sure to test any changes because you could break your site by removing benign functions.

Always remember to compare files using the same Drupal version.

To remove Drupal backdoors by comparing files:

  • Confirm your Drupal version by clicking the System menu and opening System Information.
  • Download the same version of known good core files from the version official Drupal repository.
  • Log into your server via SFTP or SSH.
  • Create a backup of the site files before making changes.
  • In your FTP client, compare your site with the known good download.
  • Investigate any new files on your server that do not match the known good files.
  • Investigate any files that are not the same size as the known good files.
  • If using version control, commit and push the new code.

Example of Comparing Files to find Backdoors

The majority of Drupal malware we see uses some form of encoding to prevent detection. Aside from premium components that use encoding to protect their authentication mechanism, it’s very rare to see encoding in the official Drupal repository.

It is critical that all backdoors are closed in order to successfully clean a Drupal hack, otherwise your site will be reinfected quickly. A web application firewall (WAF) may be the best strategy, as it blocks hackers before they can install backdoors.

Remove Malware Warnings From Your Hacked Drupal Site

If you were blocklisted by Google, McAfee, Yandex (or any other web spam authorities), you can request a review after the hack has been fixed. Google is now limiting known repeat offenders to one review request every 30 days. Be sure all Drupal malware is removed before requesting a review!

For more details on how to remove website security warnings, read our guide explaining how to remove the Google blocklist.

To remove malware warnings on your hacked Drupal site:

  • Call your hosting company and ask them to remove the suspension.
  • You may need to provide details about how you removed the malware.
  • Fill in a review request form for each blocklisting authority.
    • ie. Google Search Console, McAfee SiteAdvisor, Yandex Webmaster.
  • The review process can take several days

 

With the Sucuri Platform, we submit blocklist review requests on your behalf. This helps ensure your site is absolutely ready for review. Some reviews, however, such as web spam hacks as a result of manual actions, can take up to two weeks.

Did you know?

The Sucuri Firewall can help virtually patch attacks against your website.

Drupal Site Post Hack Steps

In this final step, you will learn how to fix the issues that caused your Drupal hack in the first place. You will also perform essential steps to enhance the security of your Drupal site.

Update and Reset

Outdated software is one of the leading causes of Drupal getting hacked, and it is important to remove any known vulnerable extensions. Though Drupal uses a secure hashing algorithm to prevent passwords from being hacked, it’s always a good idea to reset passwords to ensure you are not reinfected if hackers gained access to your credentials.

Clear Active Sessions

If a user account has been compromised it’s important to log them out and force a password reset so they lose access to your site. The sessions table in your Drupal database keeps a record of every user login and you can remove them.

To clear active Drupal user sessions:

  • Log into your database admin panel.
  • Open the sessions table.
  • Select Empty to remove all logs from the table.
  • All users will now be logged out. 

 

Reset API Keys

Your API keys in Drupal should be reset to ensure they have not been compromised by the attackers. Additionally, if your website connects to external services (such as marketing services, payment gateways, and shipping providers) it is a good idea to create new API keys created for those services.

We recommend using the Key module along with Lockr to ensure keys are managed offsite.

Update Drupal Core and Extensions

Update all Drupal software including core files, themes, and modules.

To check and update Drupal extensions:

  • Make sure you have a recent backup of your site.
  • Log into your Drupal admin interface.
  • Click Reports on the menu item and check Available updates.
  • Note any available updates and check for any module-specific update instructions. 

To update Drupal software we recommend using Drush:

  • Log into your server using an SSH terminal and run the command: drush up
  • Follow the interface to select core and modules to update.
  • Test your site to ensure the updated modules did not break any functionality.
  • If using version control, commit and push the new code.

Drupal 7: Updates

Drupal 8: Updates

Drupal 8.x is where all new developments in core are happening. Drupal 7.x continues to receive updates for known vulnerabilities. We recommend keeping an eye on the Drupal Security page for security alerts. Users on the 6.x branch or lower are no longer receiving security patches and strongly encouraged to upgrade to 8.x by following the Drupal Upgrade Docs.

If SiteCheck identified other outdated software on your server (i.e., Apache, cPanel, PHP) in the first step of this guide, you should update those to ensure you have any available security patches.

If you cannot patch, consider activating a website application firewall to virtually patch your site.

If you are manually updating core files, follow the official upgrade docs for Drupal 8 and Drupal 7.

To manually update Drupal core files:

  • Make sure you have a recent backup of your site.
  • Click Configuration on the menu under Development select Maintenance mode.
  • Delete everything except for the sites folder and custom files.
  • Upload the new Drupal files, taking care not to overwrite custom files.
  • Run the update.php file in your browser.
  • Switch the site out of Maintenance mode and test.

Caution

Be careful not to overwrite the settings.php file (in /sites/default) file as this will break your site!

Clear Cache

Once you are sure everything has been cleaned and updated, as with any update to your site, you should clear the Drupal cache so the latest version of your site is visible to everyone. We recommend using Drush commands drush cache-rebuild (Drupal 8) or drush cache-clear all (Drupal 7).

To manually clear the Drupal cache:

  • Log into your Drupal website.
  • Click Configuration on the menu.
  • Under Development click Performance.
  • Click the Clear all caches button.

 

Reset User Credentials

You should reset all user passwords with unique, strong passwords to avoid reinfection.

To reset passwords for Drupal user accounts:

  • Log into your Drupal administrator area.
  • Click People on the menu.
  • Click the Edit button under the Operations column for each user.
  • Change the user’s password.
  • Repeat for each user on your site.

 

You should reduce the number of administrator and super-administrator accounts for Drupal security and all of your website systems. Practice the concept of least privileged. Only give people the access they require to do the job they need.

Keep in mind that the first user created by Drupal during installation (User 1) is the most powerful user in the system. It has permissions above even administrators. Because of this it should not be regularly used. Instead, every administrator should have their own unique account so you can limit admin permissions.

To update Drupal software we recommend using Drush:

  • Log into your server using an SSH terminal and run the command: drush up
  • Follow the interface to select core and modules to update.
  • Test your site to ensure the updated modules did not break any functionality.
  • If using version control, commit and push the new code.

 

All accounts should use strong passwords – complex, long, and unique. We recommend using password manager and generators to simplify the process.

Drupal 7: Password Reset

Drupal 8: Reset

Set Drupal Backups

Backups function as a safety net. Now that your previously hacked Drupal site is clean and you’ve taken some important post-hack steps, make a backup! Having a good backup strategy is at the core of a good security posture.

For more information, review the Drupal Backup Docs. There are also some great free Drupal backup tools such as Node Squirrel.

Here are some tips to help you with with Drupal site backups:To reset passwords for Drupal user accounts:

  • Location: Store Drupal backups in an off-site location. Never store backups (or old versions) on your server; they can be hacked and used to compromise your real site.
  • Automation: Ideally, your backup solution should run automatically at a frequency that suits the needs of your website.
  • Redundancy: Store your backups in multiple locations (cloud storage, your computer, external hard drives).
  • Testing: Try the restore process to confirm your website functions correctly.
  • File Types: Some backup solutions exclude certain file types such as videos and archives.

 

Scan Your Computer

Have all Drupal users run a scan with a reputable antivirus program on their operating systems.

Drupal security can be compromised if a user with an infected computer has access to the dashboard. Some Drupal hacks are designed to jump from a computer into text editors or FTP clients.

Here are some antivirus programs we recommend:

  • Paid: BitDefender, Kaspersky, Sophos, F-Secure.
  • Free: Malwarebytes, Avast, Microsoft Security Essentials, Avira.

 

You should have only one antivirus actively protecting your system to avoid conflicts. If your Drupal Dashboard user’s computers are not clean, your site can get reinfected easily.

Protect Your Drupal Site

You can harden your Drupal site by restricting file permissions and implementing custom .htaccess or nginx.conf rules. We recommend reviewing the Drupal Security Docs to learn how.

There are a number of modules and toolsx that can help you protect your Drupal site and prevent a future hack. Many are free and can make it easier to manage specific aspects of website security. A good website security plan includes protection, monitoring, and response.

Drupal protection resources:

  • Security Review: Test your site against a checklist of common security issues.
  • Paranoia: Prevents PHP code execution in certain areas and prevents risky permissions being granted.
  • Password Policy: Define user password policies and strength requirements.
  • TFA: Adds another layer to password security using two-factor authentication options.
  • HoneyPot: Protects your login and web forms from being submitted by malicious bots.
  • Automated Logout: Test your site against a checklist of common security issues.
  • Login Security: Limit login attempts and allowlist access using allowed IP addresses.
  • Spam Span: Obfuscates email addresses to stop spammers from abusing them.
  • Encrypt: Enables encrypted communication allowing modules to keep data secured.
  • Real AES: An authenticated encryption method plugin for the Encrypt module.
  • Key: A module that allows other modules to encrypt, filter, and validate data.
  • Lockr: Secure, offsite storage and management of API and encryption keys.
  • Site Audit: Enables encrypted communication allowing modules to keep data secured.
  • Site Audit: Detect common problems with Drupal including security issues.
  • Permissions Lock: Fine-tune user roles and ability to grant permissions.
  • Secure Permissions: Enforces permission management via code instead of UI.
  • Mass Password Reset: Force password resets for users if they are lost or stolen.
  • Guardr: Distribution modules and settings for enterprise security.

 

Drupal is a complex and highly extensible CMS, and software vulnerabilities are difficult to predict. Trying to keep up with security patches is challenging for administrators. Website application firewalls provide a perimeter defense system surrounding your website and blocking malicious requests. Trying to keep up is challenging for administrators.

Benefits of using a website firewall:

Prevent a Future Hack

By detecting and stopping known hacking methods and behaviors, a website firewall keeps your site protected against infection in the first place, including the OWASP Top 10 vulnerabilities.

Virtual Security Update

Known vulnerabilities are constantly being exploited, and new zero-day attacks are always emerging. A good website firewall will virtually patch and harden your holes in your website software even if you can’t apply security updates in time.

Block Brute Force Attack

A website firewall should stop anyone from accessing your Drupal admin interface if they aren’t supposed to be there, making sure they can’t use brute force automation to guess your user passwords.

Mitigate DDoS Attack

Distributed Denial of Service (DDoS) attacks attempt to overload your server or web application resources. By detecting and blocking all types of DDoS attacks, a website firewall ensures availability and uptime.

Performance Optimization

Most WAFs will offer a CDN caching for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while< improving website engagement, conversions, and search engine rankings.

If you would like help protecting your website, we are available to chat with you about the benefits of using a website application firewall.

After taking steps to secure your Drupal site against future hacks, be sure to keep a record along with your mitigation and identification steps.

Please share this guide if you found it useful and help promote website security education to other website owners. Let us know if you have suggestions to improve this guide in the future.

Ready to install a WAF?

Sucuri Resource Library

Say on top emerging website security threats with our helpful guides, email, courses, and blog content.

Webinar

Learn how to identify issues if you suspect your WordPress site has been hacked.

Email Course

Join our email series as we offer actionable steps and basic security techniques for WordPress site owners.

Report

Based on our data, the three most commonly infected CMS platforms were WordPress, Joomla! and Magento.