Drupal Steward

Drupal Steward

Drupal Steward is a web application firewall that bridges the gap between the time when a security release is announced and when your site is fully updated with the new security patch. This globally distributed service from the Drupal Security Team and the Drupal Association provides immediate, affordable protection for your website, while giving your IT team the flexibility to implement site updates without disrupting other priorities.

Do security releases keep you up at night?

Drupal security releases happen on Wednesdays. Both the good actors, site owners like you, and bad actors, people trying to hack your site, learn about a vulnerability at the same time. Rare highly critical vulnerabilities could potentially be exploited within four hours of the release. Because of this, your teams must stay on alert during any security release window for a highly critical vulnerability to update your site as soon as possible.

There is a better way.

Security shield

Drupal Steward for peace of mind

In the event of a highly critical vulnerability, the Drupal security team publishes a notification in advance to warn users.
When you're protected, you *do not* have to be on red alert or pay staff overtime to be on call. You can schedule testing and implementation of the security update on a timeline that works for you.

Please note: Not every vulnerability can be protected by the Drupal Steward program, but it is ideally suited to help protect you from those that are mass exploitable. Drupal Steward can only apply to vulnerabilities that involve exploiting a request to the web server, which may not apply to some security issues. Also, a zero-day vulnerability (one that is discovered and publicized without the security team's knowledge) is possible.

workflow icon

Easy to set up and maintain

Drupal Steward takes approximately 30 minutes to set up. Simply go to drupalsteward.org/register to subscribe and set up your service. Once you’ve signed up, protection is automatic.

Set up is simple:
1. create an account,
2. enter your domain and origin server address,
3. update your DNS(domain name servers) to point to Drupal Steward

If you use a CDN (content delivery network) service and would like to use it together with Drupal Steward, contact us for alternate setup instructions.

Security rules managed by Drupal experts

The Drupal Security Team behind Drupal Steward has deep expertise in how Drupal works and how to resolve open source and Drupal-specific security issues.

Some benefits of Drupal Steward include:

  • The endpoints are globally distributed, to keep your site fast wherever your customers are.
  • Your domain receives SSL certificates via LetsEncrypt at no-extra charge.
  • The OWASP mod_security ruleset is enforced for traffic to your domain.
  • And of course any mod_security rules for Drupal vulnerabilities will remain in place as long as you're part of the program.

Priced affordably for any size organization

Drupal Steward is a globally distributed application operated by the Drupal Association. Drupal Steward is available at different tiers to meet the needs of nonprofits and small organizations, as well as larger enterprises, and pricing scales based on the number of requests served. Sites with fewer than 1 million requests per month can expect to pay around $25 monthly. Use the calculator below to estimate pricing for your site. As a bonus, an SSL certificate for your domain is included, automatically generated, and renewed with LetsEncrypt.

Pricing Estimator

100,000 are included each month for each domain
$15.00 per domain, $0.100 per 10,000 requests over the included requests
$10.00 per domain, $0.075 per 10,000 requests over the included requests
Estimate $calculating… USD / month

Drupal Steward Partners

logos for Acquia and Pantheon

Drupal Steward Founding Partners

Are you a customer of Acquia or Pantheon?

Congratulations - you are already protected by the Drupal Steward program.

Do you work with a Drupal agency?

Ask if they can help you set up Drupal Steward.

Drupal Steward Supporting Partners

While these partners do not offer Drupal Steward at a platform scale for a large hosting environment, they are instead Drupal Steward Supporting Partners who have committed to securing Drupal Steward coverage for their clients via the Drupal Association Community Tier.

1xInternet       Salsa Digital