7 – Drupal site hacked, links to any content added and weird Javascript

My Drupal site (version 7.66) has been hacked and I'm looking for advice on whether anyone can identify this hack to alert me to a potential vulnerability, as I have not found one yet.

The way it was hacked is that all the articles on my site got something added to the bottom of the content: some HTML code and (more importantly) some javascript code – I do not know what it is does.





Does anyone know what this hack could be and which modules were compromised?

As far as I know, they probably gotten access to the database using one of the compromised modules and changed all the content by adding the above data.

Drupal and Security Hardening – PHP chmod

I'm struggling with the following case where Drupal and PHP are hardened on a Red Hat Linux infrastructure.

A user has been created for the Drupal installation. All files and directories belong to this particular user. Due to the security hardening that we used, we restricted chmod from PHP and now Drupal is not working properly. In order to upload new content to the site via the administration window, chmod is used so that files should be uploaded to /sites/default/files with the right rights.

I also have problems updating Drupal CMS because .css files are not uploaded with the correct permissions. 600 Instead of 644th

Could I somehow make sure that Drupal works properly if I restrict chmod?

Is chmod a requirement for Drupal to work?

I've added Apache users to the user group (the owner of Drupal files), but still can not get it to work with limited chmod. If I remove the chmod restriction, Drupal will work properly.

Chmod is restricted by disable_functions from php.ini

Can you advise?

8 – Drush or Drupal console command to list modules with security updates?

Is there a command for Drupal 8.x that shows available updates?

I added forms_steps 1.1 with and SA and a security update that is required in the web UI to update to 1.2

Web UI that indicates that a security update is required

I tried drush pm:security However, it is reported that there is no outstanding security.

root@d568732a8640:/app# drush pm:security
 [success] There are no outstanding security updates for Drupal projects.

I may have overestimated the ability of this command, so I'm looking for alternatives to get both an update and a security update to the console. My goal is to include a schedule job in our CI reporting on it.

Security – How do I secure Drupal 8?

I'm a young front-end developer who wants to switch from WordPress to Drupal and learn how this CMS works.

My main concern is always safety. Since I'm not an expert on WordPress, I usually use security plugins that help me secure the websites I'm developing for my clients with 5 clicks (if possible).

I've read a lot about Drupal and now I want to switch to this CMS and want to know if there are any plugins / modules that can backup Drupal 8.

For example, I would like to: Change the default login URL to something else. Block spam etc.

Is there anything around? 🙂

Many thanks

Drupal 8 How to stop the import of feeds

I've created a CSV feed to create new content. I uploaded the CSV file and started an import job. Unfortunately, the CSV file had some headers that did not quite match those defined in the feed. There does not seem to be any way to actually stop the job. When I try to update the file, Drupal reports that it is being used in an application (which is probably the incomplete feed import job). How can we stop the import job to repair, update and re-import the file?

Drupal 8 – Order Custom Line Items in $ order-> getTotal ()

I use Ubercart for our e-commerce on the Drupal 8 website. Everything seems fine except the $ order-> getTotal () function. It does not track the amount from my custom line items (such as "Shipping & Handling") that I added to my order.
It just seems to cross the three standard line items (Subtotal, Total, General) provided by the uc_order module. Any guidance would be helpful. Thanks.

Theming – How do I add a script on the Drupal 8 site / app directly over the closing body tag?

How do I add a script on the Drupal 8 site / app just above the closing body tag?

The provider has provided some JS in the following form:

Asked me to place it directly above ,

The script should only be run for anonymous traffic.

I did it that way:

THEME = name of your topic

  1. Away from the code
  2. Minimized with https://javascript-minifier.com/
  3. Creates the file name-of-my-script.min.js
  4. Uploaded to THEME / js / custom / name-of-my-script.min.js
  5. Library added at the end of THEME.libraries.yml
  version: 1.0
    js/custom/name-of-my-script.min.js: {preprocess: false} // {preprocess: false} is responsible for code showing up above 
  1. The following code has been added to THEME.theme to an already existing function: function THEME_preprocess_page(&$variables) {}
$user_status = Drupal::currentUser()->isAnonymous();
if ($user_status) {
$variables('#attached')('library')() = 'THEME/name-of-my-library';
  1. Cache emptied.

Resources that helped: