Drupal Association blog: Drupal Steward now available to all

Drupal StewardAfter several years of hard work, the Drupal Association and the Drupal Security team are pleased to announce that Drupal Steward is now available to all.

What is Drupal Steward?

Drupal Steward is a web application firewall that bridges the gap between the time when a security release is announced and when your site is fully updated with the new security patch. This globally distributed service from the Drupal Security Team and the Drupal Association provides immediate, affordable protection for your website while giving your IT team the flexibility to implement site updates without disrupting other priorities.

How can Drupal Steward help me?

Drupal security releases happen on Wednesdays. Both the good actors, site owners like you, and bad actors, people trying to hack your site, learn about a vulnerability at the same time. Rare highly critical vulnerabilities could potentially be exploited within four hours of the release. Because of this, your teams must stay on alert during any security release window for a highly critical vulnerability to update your site as soon as possible. 

With Drupal Steward, you can update on your own time. 

In the event of a highly critical vulnerability, the Drupal security team publishes a notification(PSA) in advance to warn users. When you’re protected, you *do not* have to be on red alert or pay staff overtime to be on call. You can schedule testing and implementation of the security update on a timeline that works for you.

Please note: Not every vulnerability can be protected by the Drupal Steward program, but it is ideally suited to help protect you from those that are mass exploitable. Drupal Steward can only apply to vulnerabilities that involve exploiting a request to the webserver, which may not apply to some security issues. Also, a zero-day vulnerability (one that is discovered and publicized without the security team’s knowledge) is always possible.

How much does it cost, and how do I sign up?

We’ve worked very hard to supplement our pricing so that Drupal Steward is affordable to as many site owners as possible. Drupal Steward scales to the number of requests you receive, so check out the calculator on to estimate your pricing.

Signing up for the service is as simple as creating an account on, adding your domain names to be covered, and updating your DNS settings to route requests through the Drupal Steward service. 

Learn more      Sign up

Why isn’t Drupal Steward free? How does Drupal Steward support the security team and the community?

Code is and always will be free in the Drupal project, but a service by its nature is not.

Drupal Steward requires a globally distributed infrastructure to ensure that the security layer doesn’t increase latency and degrade the experience of users anywhere in the world. 

Funding from Drupal Steward directly supports the Drupal Association and our mission to help the community build Drupal. Furthermore, a portion of the funds are set aside specifically for proposals made by the Drupal Security Working Group on behalf of the Drupal Security team. 

Thank you to our Partners

We want to thank our founding partners, Acquia and Pantheon who have implemented Drupal Steward protection across their entire platforms so that any of their clients are already covered by this program. Their early support made it possible to bootstrap this community tier for all.

We also want to thank our Supporting Partners, who are able to offer Drupal Steward to their clients at the preferred pricing level through the Drupal Association community tier.

Go to Source