Drupal is just one piece in a large stack, and it's important to consider that stack when securing Drupal. Figure 2-1 gives you an idea of a typical Drupal installation and the way that it relies on other components.
In this example Drupal is installed on a typical Linux server that runs Apache and PHP and responds to requests coming in from the Internet. It connects to a separate MySQL database server running FreeBSD and also interacts with an internal server running Solaris that provides a REST API. The exact types of technology used are not as important as understanding that there are often many components involved in a Drupal installation.
This is an important point for two reasons. First, every service that your Drupal site talks to is also something that can be attacked if someone finds a weakness in the Drupal code—you learned about filtering when we discussed boundary validation in Chapter 1. However, if your site has sufficient weaknesses, then all of the servers in ''More servers'' in the diagram may also be attacked as long as they are not separated by a firewall. Second, if you protect Drupal but don't update your Apache and Linux installations, then you will end up with a vulnerable server, and it is likely to get compromised directly.
Was this article helpful?