If your Drupal site has been compromised in a recent attack, there are several telltale signs you can look for before security problems escalate into full site takeovers. The most obvious indicator is the appearance of unfamiliar admin accounts in your user database or active sessions from IP addresses you don’t recognize, particularly logging into administrative functions. You should also check for unexpected file modifications, suspicious user behavior, and unauthorized content changes—these typically surface when attackers gain backend access and begin pivoting through your site’s infrastructure. While there is no single event officially called the “June Attack,” Drupal has faced a series of critical vulnerabilities in 2026, including five documented issues with an average severity score of 4.9 out of 10.
The most dangerous of these include SA-CORE-2026-001, a critical cross-site scripting (XSS) vulnerability in the IframeConsent element that allows attackers to inject arbitrary JavaScript directly into your site. If your Drupal installation remains unpatched, it’s vulnerable to exploitation through these vectors. The difference between a minor breach and a catastrophic compromise often comes down to early detection. A compromised site might continue functioning normally from a visitor’s perspective while attackers siphon data, inject malware into outbound links, or use your infrastructure to attack third parties. Early warning signs can save you weeks of cleanup and thousands in remediation costs.
Table of Contents
- What Are the Most Common Signs Your Drupal Site Was Compromised?
- How to Review File Modifications and Database Changes for Evidence of Attack
- Recent Drupal Vulnerabilities That Enable Site Compromise
- Step-by-Step Process to Scan Your Site for Compromises
- Investigating Your Server Logs for Unauthorized Activity
- Using Drupal’s Built-In Tools to Verify Site Integrity
- Preventing Future Compromises and Staying Current with Drupal Security
- Conclusion
What Are the Most Common Signs Your Drupal Site Was Compromised?
Your first line of defense is understanding what compromise actually looks like on a drupal installation. Most attackers don’t immediately alter your homepage; instead, they establish persistence by creating hidden admin accounts, modifying core files, or injecting code into less-visible locations like modules or the settings.php file. Check your People administration page for any user accounts you don’t recognize, especially those with administrator privileges created within the last 30 days. Monitor your active sessions in the Session Management area of Drupal. If you see login sessions from geographic locations you’ve never accessed your site from—particularly countries where you don’t conduct business—this is a strong indicator of unauthorized access.
An attacker logging in from Eastern Europe while your business operates in North America suggests credential compromise. Similarly, session timestamps showing activity at unusual hours (3 AM server time when you never work then) warrant investigation. The Hacked! module, available for free from Drupal.org, is one of your most valuable tools for detection. This module compares your installed Drupal code against the official Drupal repository and flags any files that have been modified from their original state. If your site’s core files or module files show unexpected changes, an attacker has likely modified your codebase—a far more serious situation than a compromised user account.
How to Review File Modifications and Database Changes for Evidence of Attack
Attackers often leave traces in your file system when they gain server access. Using SFTP or your hosting provider’s file manager, check the modification timestamps on critical files: modules, themes, the settings.php configuration file, and any custom code directories. Files modified within the last 7 to 30 days outside your normal development window suggest unauthorized access. Pay special attention to .htaccess files, robots.txt, and the files directory—these are common places for attackers to hide backdoors or malicious scripts. A significant limitation of file-modification checking is that sophisticated attackers can manipulate timestamps using server-level commands, making it appear that files haven’t changed when they actually have.
This is why relying solely on modification dates is risky. Instead, use a combination of approaches: run the Hacked! module for cryptographic verification of core files, check your server logs for unusual access patterns, and review database entries for unexpected tables or records that might indicate hidden user accounts or malware data. Your Drupal database can also reveal compromise. Check the `users` table for accounts with administrator roles you didn’t create, and examine the `node_access` table for suspicious permission overrides. If you’re using the SAML SSO Service Provider module, be aware that SA-CONTRIB-2026-031 identified an authentication bypass vulnerability in this module due to insufficient access controls—an attacker could exploit this to gain unauthorized access without needing actual credentials.
Recent Drupal Vulnerabilities That Enable Site Compromise
The vulnerabilities active in Drupal throughout 2026 provide clear pathways for attackers to gain initial access or expand their foothold. SA-CORE-2026-001 and SA-CORE-2026-002, both released in May 2026, are cross-site scripting vulnerabilities affecting core functionality. The IframeConsent element vulnerability (SA-CORE-2026-001) allows attackers to inject JavaScript that executes in admin dashboards, potentially capturing session tokens or stealing credentials. The jQuery integration vulnerability for AJAX modal dialog boxes (SA-CORE-2026-002) fails to properly sanitize user input, creating similar XSS pathways.
These XSS vulnerabilities are particularly dangerous because they don’t require brute-forcing passwords—they can be triggered by social engineering a site administrator into clicking a malicious link or by modifying public content on your site to serve the attack vector. For example, if an attacker comments on a blog post with a specially crafted URL containing XSS payload, and an admin clicks that link, their session token could be compromised. Additionally, CVE-2025-9551 affects the Protected Pages module with a brute force vulnerability, allowing attackers to systematically guess weak passwords or access codes protecting sensitive content. The SAML SSO Service Provider module’s authentication bypass (SA-CONTRIB-2026-031) is particularly concerning if you’re using federated authentication—attackers could potentially bypass your organization’s login system entirely.
Step-by-Step Process to Scan Your Site for Compromises
Start with a complete security scan using the Sucuri SiteCheck scanner, a free tool that identifies malware, blacklist status, and known vulnerabilities. Visit SiteCheck’s website, enter your domain, select “Scan Drupal” from the options, and let it complete its analysis. This tool scans for known malicious signatures and checks whether your site appears on security blacklists. If your site has been flagged, you’ll see immediate notification of the threat type and severity. Next, run a comprehensive backup of your database and files before taking any corrective action. This backup serves as forensic evidence and a fallback if your remediation creates problems. Use your hosting provider’s backup tools or command-line utilities to create a snapshot.
Then, systematically patch all Drupal core and contributed modules to their latest versions. This addresses the known vulnerabilities (SA-CORE-2026-001, SA-CORE-2026-002, SA-CONTRIB-2026-031, and others) that attackers could exploit. The tradeoff here is between speed and thoroughness. Patching immediately removes known attack vectors but might introduce compatibility issues with custom code. A more cautious approach involves testing patches on a staging environment first, but this takes additional time while your live site remains vulnerable. For sites handling sensitive data or e-commerce transactions, staging-first testing is worth the delay. For smaller informational sites, immediate patching is often the better choice.
Investigating Your Server Logs for Unauthorized Activity
Your web server logs contain timestamps, IP addresses, and URLs for every request made to your site. Access these through your hosting control panel or SSH—they’re typically located in /var/log/apache2 or /var/log/nginx depending on your server configuration. Look for unusual patterns: multiple failed login attempts in quick succession (indicating brute force attempts), requests to admin paths from unfamiliar IP addresses, or POST requests to sensitive files like install.php or update.php after your initial site setup. A major limitation of log analysis is volume. A moderately trafficked Drupal site can generate hundreds of thousands of log entries monthly, making manual review impractical.
Instead, use grep commands or log analysis tools to filter for suspicious patterns: search for “admin” paths, track login failures, and identify the top IP addresses accessing your site. If you see a single IP making hundreds of requests within minutes, that’s likely an attack script. However, legitimate traffic spikes can look similar, so context matters. One critical warning: some attackers delete or truncate log files to cover their tracks after gaining server access. If your logs suddenly stop or have gaps in otherwise continuous timestamps, this is itself evidence of compromise. This is why maintaining offsite backups of logs—through a WAF (web application firewall) or log aggregation service—provides protection against log tampering.
Using Drupal’s Built-In Tools to Verify Site Integrity
The Hacked! module deserves deeper exploration as a detection tool. After installation, navigate to Reports > Hacked! in your Drupal admin interface. The module will scan your codebase against the official Drupal repository’s cryptographic hashes. Any file that doesn’t match the official version will be flagged, whether it was intentionally modified by you or compromised by an attacker.
This catches modifications that timestamp checking would miss and is far more reliable than manual file inspection. However, the Hacked! module only checks against officially released versions. If you’ve legitimately customized files or applied patches, these will show as “hacked” even though they’re intentional modifications. You’ll need to understand the difference between expected modifications and actual compromise, which requires knowledge of what changes you’ve made to your Drupal installation. For this reason, maintaining detailed documentation of any custom code or patches you’ve applied is essential.
Preventing Future Compromises and Staying Current with Drupal Security
Moving forward, establish a regular patching schedule to address vulnerabilities before attackers can exploit them. Drupal’s security team releases updates on Wednesdays, with advance notice for critical issues. Subscribe to the Drupal Security mailing list to receive notifications immediately when vulnerabilities are announced.
The five vulnerabilities identified in 2026 with their 4.9/10 average severity score demonstrate that threats are ongoing—complacency is the primary vulnerability. Consider implementing additional layers of protection beyond patching: use a Web Application Firewall (WAF) to filter malicious requests before they reach Drupal, enable two-factor authentication for admin accounts, and implement regular automated backups with offsite storage. These measures won’t prevent all attacks, but they dramatically reduce the attack surface and provide recovery options if compromise occurs. The cost of these protections is minimal compared to the cost of recovering a fully compromised site.
Conclusion
Detecting whether your Drupal site was compromised requires a multi-layered approach combining automated scanning tools, manual log review, and built-in Drupal diagnostics. Start with the Sucuri SiteCheck scanner and the Hacked! module to get immediate visibility into known issues and file integrity. Then examine your user accounts for suspicious administrators, review active sessions for unfamiliar IP addresses, and analyze server logs for patterns indicating brute force or exploit attempts.
The critical next step is patching all vulnerabilities immediately and establishing a regular update schedule for the future. The vulnerabilities affecting Drupal in 2026—particularly the cross-site scripting issues in core and the authentication bypass in SAML SSO—demonstrate that threats are real and ongoing. Don’t wait for a breach notification; proactive detection and rapid response are what separate sites that recover quickly from sites that suffer months of fallout.
