Auditing a Drupal Core Install

May 2012

Auditing a Drupal Core Install

Tags: audit, diff, Drupal
comment icon4 comment(s) |
  • Determine current version of Drupal being used
  • Downloading a clean Drupal Core
  • Running an initial diff (show the difference) between the two
  • Run a detailed diff on individual files

Determine current version of Drupal being used

There are multiple ways to check what version of Drupal is being used.

Your best bet is to visit one of the admin status report pages as listed below:

Drupal 6/7: /admin/reports/status

Drupal 5 : /admin/logs/status

Finally, you can take a look at the CHANGELOG.txt file located in the main directory of the Drupal install. (This method is prone to error, so use only if you are having trouble finding it elsewhere).

Downloading a clean Drupal Core

Our next step is to download a clean copy of the Drupal core install that matches our version.

Thankfully, has set up a release page where you can download any version of Drupal all the way back to 4.7.0!

Simply select the branch you wish to download from, and then download the correct zip or tar.gz file from that branch!

If you're familiar with Drupal's Git process, you can also checkout a copy:

git clone mydir 
cd mydir 
git checkout -b local 6.20

If, for some unholy reason, you need a copy of a release prior to 4.7, versions 2-3 are avaiable at This is not an official release channel, so download at your own discretion.

Running an initial diff (show the difference) between the two

(Assume that there are two folders drupal is the clean core, and myfolder is the version we suspect has changes.)

You can use any diff tool you like, I personally prefer to use the command line for finding the initial differences between the two.

Here's what I use:

// this will dump a txt file that lists 
// the differences between the two folders
diff -qr drupal myfolder | sort > diffs.txt

// if you want to ignore a set of files, 
// you can pipe it through grep. In this case, 
// I'm ignoring the .DS_Store file that macs 
// tend to dump in every folder.
diff -qr drupal myfolder | grep -v -e 'DS_Store' | sort > diffs.txt

The preceding command will produce a diffs.txt file that will display any differences between the two. Below is an example of what this might look like.

Files drupal/.htaccess and mydir/.htaccess differ
Files drupal/includes/ and mydir/includes/ differ
Files drupal/index.php and mydir/index.php differ

Only in mydir/profiles: technology
Only in mydir: phpMyAdmin

From our diffs.txt file we have quickly learned that yes, there have been changes to the core install, and in addition to the changes, there is a phpMyAdmin installation in our current Drupal directory. At this point you should run a diff on each individual file that shows a difference.

Run a detailed diff on individual files

While you can continue to use the diff command, at this point I would recommend using a GUI diff tool. I like FileMerge, so that's what I'll be using.

Let's compare the files and see what we get:

Diff View

Here we can see that someone has placed a redirect instruction in a 404 function.

Now, as part of our audit, we need to figure out why this was done, and how we can extract this code (either by creating a module, or finding a module that can redirect 404 requests). In this instance, we had a fairly simple change, but sometimes you may come across multiple large changes to the core. You must be diligent in discovering what the intent of the changes are, and on how to replicate those changes in a Drupal approved fashion.

Happy hunting!

Subscribe to our Networks

Popular Tags by Javod

IW on Facebook


May 17, 2012


Hacked! module?

Have you tried the Hacked! module? Combined with drush, it's where I begin every site audit.

May 17, 2012


Not yet!

I haven't tried that module yet, I will take a look next time I do an audit. I wonder though if it shows additional diffs aside from Drupal; would it recognize that phpMyAdmin had been installed?

May 18, 2012

Drupal Theme Garden

Nice article,

Nice article, thanks.

you have typo in your text, in lines with commands creating diffs.txt (& gt; instead of >)

May 18, 2012



Good catch, it's now fixed.