Cracking Drupal cover It's nearly 6 months since the release of Cracking Drupal, which makes for a nice milestone to talk about the book and mention a few related developments. Cracking Drupal was written by me (Greg Knaddison - or "greggles") with reviews and assistance from various members of the community with the well-known Károly Négyesi (chx) as the main technical editor.

The book's target audience is broad: site admins who know a little coding, developers who are deep in module development and selection, and front end developers (aka themers) who modify their template.php and tpl.php files.

The story behind the book

The underlying motivation for this book was to better educate the Drupal community about security best practices. I started working with the Drupal Security team in 2007, shortly before Drupalcon Barcelona. Then, like now, the team is composed of some of the best and brightest of the community, which means they are often quite busy: the team is frequently overwhelmed with work. Based on discussion at Drupalcon Barcelona, I decided to work on educating the community about security to hopefully reduce the number of vulnerabilities in core and contributed modules/themes. I began by revising, adding, and updating the handbook pages (secure configuration and writing secure code) and presenting at Drupalcamps and Drupalcons on the topic. Shortly after I began that work Wiley approached me with the idea of writing a book on the topic. So, I got down to work writing it and 9 short months later the book is published.

About the book

The book is split into three broad pieces. The first two chapters give a review of common security vulnerabilities so that readers have a solid understanding of what the problems are. Part 2 runs from chapter 3 through 8 and covers how to protect your site - first by configuring it safely and possibly adding modules and then through secure coding practices. One benefit of reviewing how to code securely is that readers will also learn how to code properly: Drupal's API is meant to provide developers security by default.

Part 3 takes the conceptual basis from the first two parts and puts it to the test. Chapter 9 shows the reader how to take advantage of a vulnerability they might find, this helps solidify knowledge of weaknesses and drives home the point that it is really easy to exploit most of these weaknesses. Chapter 10 goes step by step through fixing vulnerabilities in a module to make it safe.

The book has received multiple 5 star reviews on Amazon and great reviews from Aaron Winborn, Chris Shattuck, and Caleb Gilbert.

About the companion site:

As useful as it is to have a book on a topic, you can't beat the speed of real time publishing on the internet. So, I built as a place to provide some of the downloadable resources for the book (like free copies of the first chapter), to discuss security issues related to Drupal, and to provide more current information about Drupal security as new changes come up. For example, chapter 3 has a list of modules that can increase the security of a site which needs a little updating. So, Ben Jeavons has created an updated list of contributed modules to better secure your site.

For the curious, you can read about how Evelyn designed and built the speaking tabs on

Upcoming Presentations about Security

Of course, writing the book doesn't mean that my work spreading the word about security is over.

Drupal Security Review Service

I've mentioned Ben Jeavons a few times - Ben is member of the Drupal security team and a new member of the Growing Venture Solutions team. He is also the leader of our Security review for Drupal sites service which we are in the process of launching. The market of Drupal service providers is getting increasingly focused: companies are providing services in a specific area which allows them to provide better work and easily combine the needs and funding from multiple vendors to create specific tools that benefit the community. One great example of this kind of specialization and community benefit are the Migrate and Table Wizard modules from Cyrve or the performance specific tools from Four Kitchens, Tag1 and Chapter three. We hope that by providing some specific security services we will be able to improve the infrastructure of the Security Team, improve the resources available to site owners, and work on hardening Drupal 7.

You want the book?

Ok, enough already - get the book from - (with Drupal Association affiliate link) .


aaron’s picture

I've said it before, and I'll say it again: Cracking Drupal is an essential for any serious Drupaler -- not only does the book offer an excellent overview of web security as it applies to Drupal, but it also opened my eyes to some easy mistakes to make, and how to avoid them. It's an important read for not only module maintainers (who I initially thought the natural audience), but also for people writing themes, and anyone with a Drupal web site who wants to make sure it's following best practices.

chrisshattuck’s picture

I received a copy of Cracking Drupal after having had my world slightly shaken by a brush with poor security. The book is to the point and really anchors the idea that integrating security with your code will make your life a whole lot easier (and less embarrassing). I have a new found affection for the Drupal security team, and see this book as a natural outcome of the excellent contributions they make to this community. Thank you!

Learn virtually any aspect of Drupal on BuildAModule, where I've recorded over 2200 video tutorials.

JohnForsythe’s picture

There's a copy of this in my local book store (which is rare, we don't often have Drupal books in stock), I took a quick browse through it the other day, it looks like a great book.

Dave Reid’s picture

I don't own this (hopefully to be corrected soon) but have had the chance to read it occasionally in the bookstore (yay Drupal books in stores!). Cracking Drupal contains tons of very useful and insightful information from a very knowledgeable person on security both general and Drupal-specific. It shows how Drupal has so many great built-in security measures, but for the most part it's up to the developers and site maintainers to make sure that they are implemented.

I'd highly recommend this as a resource for any Drupal contrib and core developers as well as anyone that is maintaining a Drupal sites for clients.

Senior Drupal Developer for Lullabot | | @davereid

amedjones’s picture

what version does the book address to?

Garrett Albright’s picture

Explicitly, it targets D6, but mentions that many of the topics apply to D7 and D5 as well. From what I've read so far, Greg will explicitly mention if some of the modules he mentions are only available for D5 or D6, or if a topic he mentions only applies to one version or the other. Of course, some things will have changed since the book went to print, so it's good to do your own research as well.

Really, though, many of the concepts he mentions are broad enough to apply to all web applications, including those other than Drupal. A handy book.

I ended up ordering a second copy after I thought I had lost my first, but then found my first copy after it was too late to cancel the order. Perhaps I'll give away the second copy in a contest or something.

Sree’s picture

I just got a copy of this book with me & as far as I gone through it it looks great & very useful.

-- Sree --
IRC Nick: sreeveturi

kr0l’s picture

This was one of the 4 books i bought when I first started to use drupal 5 moths ago!
It's absolutely a book I highly recommend to all people who wish to become serious drupal users / admins / developers..

The book is written in a funny, easy to follow language, you get the feel that the author really burns for the topic of security on the web.

Early on you are presented with hands on example of how and why you should always use the drupal API functions when developing modules,
how you should configure modules, and how to look for modules that are secure and won't cause a security hole on your website..

All these examples makes it easy to follow and I will keep this book as a reference on my table whenever I'm going to develope a module or configure a new website.

libeco’s picture

I found this book quite hard to read in one go. It is better to use as reference when doing one of the situations described in the book. It's filled with information and perhaps that's the reason I like it more as a reference to check, than as a book to read from page 1 to the end.

UnitedVision’s picture

this book is awesome. gives really good insight into drupal security.

aac’s picture

Congratulaions for writing a great book!!
Thanks for providing the list of contributed modules for securing the Drupal website.
Also Designing the site: - How to build a "speaking" navigation is a useful information for theme designers.


brqx’s picture

Sincerelly you are great Gregg !!

I wrote you some month ago when I was looking contemplate module.

Now I need security checklist to know how to protect goverment sites and you are again the best solution.

Thank you Drupal !!!

Thank you Free Software !!

Working for a best world !!

Working for a free world !!

Ricardo Cabello Torres.

greggles’s picture

Cracking Drupal is finally available in a Kindle format for just $14.

Get your copy now... ;)

-- :)