On March 28 and April 25, 2018, Drupal released critical core updates affecting both Drupal 7 and Drupal 8.
This type of release and critical vulnerability are rare but not unprecedented in the world of Drupal. In fact these recent, related vulnerabilities have been dubbed "Drupalgeddon 2". The original Drupalgeddon, in fall of 2014 was equally bad and Fuse IQ had the privilege to live through and resolve that exploit including having to repair some client sites that were hacked.
While we mitigated serious damage during the original Drupalgeddon event, it was alarming and eye opening for both us and our clients. While not a surprise there would be vulnerabilities and security bugs in a software product and hackers happy to exploit them, the rapid and automated nature by which they were exploited was surprising. But the tech world keeps changing and evolving. Hacking, automation, CPU power, internet connectivity and artificial intelligence all combine to make our computing lives more enjoyable and dangerous at the same time.
This time around for Drupalgeddon 2, we were more prepared as was the Drupal community as a whole. Fuse IQ, for its part, prepped for the announced update (though the Drupal security team wisely did not announce the nature of the vulnerability until the fix was released) and we immediately updated 22 of our client sites in record time! The rapid and automated nature by which websites are exploited means there can be no hesitancy when updating sites against critical hacks and widely publicized vulnerabilities.
Pantheon, one of our preferred hosting partners wrote in a recent newsletter article that it "has blocked over 2.8 million attempted exploits. Last week, (we) were blocking over half a million exploit attempts a day" Yikes! This illustrates in real-world scenarios, the importance of a high quality hosting provider, frequent and regular backups as well as keeping sites and servers up to date with the latest security updates. The time, cost and hassle of updating ends up much less so when compared to the cost and chaos of a hacked site.
If you have a Drupal site, or a Wordpress site for that matter, that you haven't been keeping up to date and your site is not hosted on a managed server, your site is at risk! Don't wait until tomorrow to address the issue....hackers won't!