A fixed-scope security review of your Drupal site: advisories, permissions, modules, and server, with a report you can act on.
Base scope of work β applies to all tiers. See the tier comparison below for hours and SLA specifics.
Every finding with a severity rating and the exact fix. Plain enough to read, technical enough to act on.
Your core and contrib versions checked against every open SA-CORE and SA-CONTRIB advisory.
User/1, role grants, weak logins, and any permission that exposes more than it should.
settings.php, the files directory, database access, and anything reachable that should not be.
TLS, security headers, firewall rules, and the hosting setup around the site.
A 30-minute call so the report is not just a PDF you file away. We explain the risk order.
Transparent process β you always know what stage we're at and what comes next.
You give us a non-destructive admin or read account and SSH or hosting access. We confirm the site and scope.
We work through core, contrib, permissions, formats, files, and the server layer, by hand and with Security Review.
You get the written report with severities and fixes, then a call to walk the priorities.
On the Audit + fix tier we patch the critical and high items on staging, re-test, and deploy.
Pick the level that fits your size and required response time. You can switch tiers between months.
A full security review with a written report you can hand to any developer.
The audit, plus we remediate the critical and high findings on staging and deploy.
Scope transparency β no surprises in the monthly report.
Access we require β passed via secure channel (1Password / Bitwarden).
It is a structured review of everything that affects your site’s security: core and contributed module versions against published advisories, user accounts and permissions, text formats, file permissions, configuration exposure, and the server layer. You get a written report that rates each finding and tells you how to fix it.
Our audit-only review is $600 and includes the report and a walk-through call. The $1,400 audit-plus-fix tier adds remediation of the critical and high findings on staging with a 90-day warranty. Larger or multisite installs are quoted after we see the scope.
The audit itself takes 2 to 3 working days, and you have the report within about a week of giving us access. The fix tier adds another 3 to 5 days depending on how many critical items turn up.
No. Drupal core has a strong security record and a dedicated security team that publishes advisories on a fixed schedule. Most real incidents come from outdated contributed modules and misconfiguration, not core, and that is exactly what an audit catches.
Yes, but Drupal 7 reached end of life and no longer gets official security support. We will audit it, and the honest recommendation will usually be to plan a migration to Drupal 10. See our Drupal migration service for that.
A non-destructive admin or auditor account, SSH or hosting access, and read access to the codebase. For the fix tier we also need a staging environment. We never need your users’ passwords.
No. The audit is read-only and runs against your production site without changing anything. Any fixes happen on staging first, get tested, then deploy during a window you agree to.
Most Drupal sites do not get hacked because Drupal core is weak. They get hacked because a contributed module went two years without a security update, or someone left user/1 on a guessable password, or the site skipped a SA-CORE advisory. A Drupal security audit finds those gaps before someone else does. We run the audit, write up what we find with a severity on each item, and hand you a fix plan, or fix it ourselves.
This is a fixed-scope audit, not an open-ended retainer. If you want ongoing patching after, see our Drupal support plans. For the background reading, our Drupal security best practices guide covers what we harden and why.
The generic checklists online stop at “keep modules updated.” Here is the list we work through on a real audit: core and contrib versions against active SA-CORE and SA-CONTRIB advisories; abandoned or unsupported modules still running in production; the admin account (user/1) and weak or shared logins; permission grants that hand anonymous or authenticated users more than they should have; text formats and input filters that allow raw HTML or PHP; file and directory permissions on settings.php and the files directory; the Update Status and Security Review module output; database and config exposure; and the host layer, TLS, headers, and firewall rules. You get one report with each finding rated critical, high, medium, or low, and a remediation step next to it.
90-day warranty on remediation work. If a critical issue we fixed comes back from our change within 90 days, we fix it at no charge.
