Security of Drupal 8.5 or below.

This post contains important, time sensitive information about the security of your website if you’re running Drupal version 7.57 or below or Drupal 8.5 or below.

If you’re an O’Brien Media client with a Drupal website you’ll probably be familiar with the periodic Drupal update emails we send out regarding how important it is to keep up to date with security patches and other updates for your site.

Very rarely a security issue so severe is discovered that software developers, such as Drupal, provide a warning that a security issue has been identified and a date that the update to fix it will be released – but don’t disclose the actual nature of the problem. This is to give Drupal site owners an opportunity to prepare and act as soon as the update is released while keeping information out of the hands of hackers.

On the evening of 21st March a notice was issued by Drupal developers that such an event has been scheduled for the 28th March. Between 6pm and 7:30pm (GMT) a security update will be released that will need to be applied to ALL Drupal based websites.

While the specifics of the issue the update fixes is as yet unknown, the last such event was for a fix that resolved an issue that allowed hackers unlimited access to any unpatched website. This resulted in tens of thousends of websites around the world being defaced by hackers and used to distribute malicious software (malware).

It is essential that Drupal websites are patched as soon as the update is released on the 28th March, as once the issue is known hackers will immediately begin exploiting the vulnerability using automated methods that can compromise hundreds of websites a minute.

Protecting against hackers when the nature of the vulnerability is unknown is an impossible task and until the Drupal security update has been installed on your website there is no way for us to be able to guarantee the security of your website.

Next steps…

If you would like us to install the update for you there will be a charge of £175 – plus the cost of installing any updates that have yet to be installed on your website. Please email [email protected] to confirm the specific cost for your website as for more complicated websites the cost may be higher. Due to the unusual nature of this update and the costs involved, we will be willing to offer split payment plans.

If you would like to install the update yourself, you can find details at and the specifics of the security issue will be released on the 28th March (between 6pm and 7:30pm) at O’Brien Media clients will need the SFTP login details for your website contained within your user guide to complete the update process.

If you do nothing, there is a high risk that after the release of the security update your site will become targeted by hackers. If your website is hosted by O’Brien Media and our systems detect unusual behaviour from your website it will be disabled and arrangements will need to be made to resolve any issues before your site can be reactivated.

If you have any questions please don’t hesitate to get in touch – you can call us on 01793 239239 or you can email [email protected] with any questions.